b'  AUDIT OF THE DEPARTMENT OF\nJUSTICE INFORMATION TECHNOLOGY\nSTUDIES, PLANS, AND EVALUATIONS\n\n        U.S. Department of Justice\n      Office of the Inspector General\n               Audit Division\n\n           Audit Report 07-39\n              August 2007\n\x0c\x0c                AUDIT OF THE DEPARTMENT OF JUSTICE\n                    INFORMATION TECHNOLOGY\n                 STUDIES, PLANS, AND EVALUATIONS\n\n                          EXECUTIVE SUMMARY\n\nBackground\n\n        This report is the final in a series of three reports prepared by the\nDepartment of Justice (Department) Office of the Inspector General (OIG) in\nresponse to a congressional request included in the Department\xe2\x80\x99s\nappropriation for fiscal year (FY) 2006. Specifically, Congress instructed the\nOIG to present to the Committees on Appropriations: (1) an inventory of all\nmajor Department information technology (IT) systems and planned\ninitiatives, and (2) a report that details all research, plans, studies, and\nevaluations that the Department has produced, or is in the process of\nproducing, concerning IT systems, needs, plans, and initiatives. Congress\nrequested that the OIG include an analysis identifying the depth and scope\nof problems the Department has experienced in the formulation of its IT\nplans.\n\n      The OIG\xe2\x80\x99s first report, issued in March 2006, presented an unverified\ninventory of the Department\xe2\x80\x99s major IT investments based on information\nreported to the Office of Management and Budget (OMB) for budget\npurposes. The inventory contained 46 major investments, each with\nprojected costs at or exceeding $15 million for FYs 2005 through 2007.\n\n      The second report, issued in June 2007, presented the refined\ninventory of major systems according to criteria developed by the OIG,\nreducing the number of major systems to 38. The second report also\nexamined issues related to verifying cost information about the 38 systems.\n\n       This third and final report addresses the request for the OIG to\nprepare a report that details the research, plans, studies, and evaluations\nrelated to the Department\xe2\x80\x99s information technology initiatives. This report\nalso includes an analysis of problems related to IT planning that have been\nidentified in previous OIG reports.\n\n       Our work involved the Department\xe2\x80\x99s Office of the Chief Information\nOfficer and eight of the Department\xe2\x80\x99s components or offices. We generally\nfocused our audit on the 38 major systems and initiatives that were\nidentified in the refined OIG inventory. These included the following number\nof systems in the chart below for each of the Department\xe2\x80\x99s components\nrepresented in the revised inventory.\n\n\n                                       i\n\x0c                                                                               Number of\n                                     Component\n                                                                                Systems\n             Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF)             1\n             Bureau of Prisons (BOP)                                               1\n             Drug Enforcement Administration (DEA)                                  1\n                                                                                  6\n             Executive Office for Immigration Review (EOIR)                        1\n             Federal Bureau of Investigation (FBI)                                21\n             Justice Management Division (JMD)                                     6\n             Office of the Deputy Attorney General (ODAG)                          1\n             Office of Justice Programs (OJP)                                      1\n             Total                                                                38\n              Source: Department of Justice, Office of the Inspector General\n\n      The types of systems, stages of development, and scopes of the\nprojects vary widely. The systems include infrastructure acquisitions and\napplication development projects that are in the early phases of planning\nand others that had been operational for several years.\n\nOIG\xe2\x80\x99s Audit Approach\n\n      Our audit objectives were to: (1) identify all research, plans, studies,\nand evaluations that the Department has produced, or is in the process of\nproducing, concerning IT systems, needs, plans, and initiatives; and\n(2) analyze the depth and scope of the problems the Department has\nexperienced in the formulation of its IT plans.\n\n      We identified relevant federal, Department, and component-specific\nrequirements and standards for IT research, studies, plans, and evaluations,\nand merged the various standards into a generic set of documents. We\nrequested and obtained documents from the components to develop the\ninventory, and assessed compliance with the document standards for the\nmajor systems in the inventory. For this audit report, we focused\nspecifically on studies and research that justified the selection of\ninvestments in the OIG\xe2\x80\x99s revised inventory of major IT systems and projects,\nplans that were developed after the investments were authorized, and\nevaluations that were performed after systems were implemented.\n\n      1\n         In the previously issued OIG report on Identification and Review of the\nDepartment\xe2\x80\x99s Major Information Technology Systems Inventory, which provides information\non the cost of the Department\xe2\x80\x99s major IT systems, we included seven systems for the DEA\nand none for the ODAG. The seven systems included the Organized Crime Drug\nEnforcement Task Force (OCDETF) Fusion Center System (OFC) because the DEA\xe2\x80\x99s\nunobligated funds developed the OFC. However, in this report we include the OFC as part of\nthe ODAG because the system actually resides in that office.\n\n\n\n                                                 ii\n\x0c      To evaluate problems the Department has experienced in its IT\nplanning, we analyzed the evaluations obtained for information about\nproblems the Department has experienced in formulating IT plans. We\nreviewed relevant audit and other independent reports, extending the scope\nof our audit work to some systems and projects that were not included in\nthe inventory of major systems. We also asked the components to inform us\nof IT projects that had been terminated or had experienced problems.\n\nIT Management\n\n      The Deputy Assistant Attorney General for Information Resources\nManagement (DAAG/IRM), who reports to the Assistant Attorney General for\nAdministration, serves as the Department\xe2\x80\x99s Chief Information Officer (CIO).\nThe CIO\xe2\x80\x99s responsibilities include establishing and implementing\nDepartment-wide IT policies and standards, developing the Department\xe2\x80\x99s IT\nStrategic Plan, and reviewing and evaluating the performance of the\nDepartment\xe2\x80\x99s IT programs and projects. In his role as the DAAG/IRM, the\nCIO leads the Information Resources Management (IRM) office of the Justice\nManagement Division (JMD).\n\n      JMD developed and operates many systems that serve more than one\ncomponent in the Department. The Department\xe2\x80\x99s other components are\nresponsible for providing information to the CIO, demonstrating that\nresources are being well spent and managed, and using the methodology in\nthe Department\xe2\x80\x99s standards for information systems. Each of the\ncomponents included in the revised inventory has its own CIO, except for\nthe Office of the Deputy Attorney General.\n\n       Numerous federal, Department, and component guidelines establish\ncriteria for IT research, studies, plans, and evaluations. The guidelines come\nfrom both IT and budget authorities, and can apply to the Department as a\nwhole or to individual components, such as the DEA or FBI. The various\nstandards should complement one another. However, the IT compliance\nenvironment is complex and involves strategic planning, IT development\nmethodologies, IT investment management, enterprise architecture,\nprocurement, and budgeting. 2 Additionally, many standards exist as\nguidelines rather than requirements, and allow flexibility for variation.\n\n\n       2\n         Enterprise architecture (EA) is a blueprint that explains and guides how an\norganization\xe2\x80\x99s IT and information management elements work together to accomplish the\nmission of the organization. An EA addresses business activities and processes, data sets\nand information flows, applications and software, and technology.\n\n\n\n                                            iii\n\x0c      IT projects can be expected to go through a process of identifying a\nbusiness need and alternative solutions for meeting the need, selecting the\nbest alternative, planning to acquire or build the solution, defining specific\nrequirements, and designing, building, testing, implementing, and evaluating\nthe implemented solution. The Department\xe2\x80\x99s Systems Development Life\nCycle Guidance Document (SDLC) describes 10 life-cycle phases with\nassociated tasks and deliverable products, including specific studies, plans,\nand evaluations. For different types of acquisitions and smaller-scope\nprojects, the life-cycle work pattern can be tailored to reduce the workload\nfrom a full sequential work pattern. Tailoring the work pattern may include\ndropping requirements for specific tasks, studies, plans, and evaluations.\nDifferent sets of deliverables are identified in other standards, such as the\nDepartment\xe2\x80\x99s Information Technology Investment Management Guide (ITIM\nGuide) and the FBI\xe2\x80\x99s Life Cycle Management Directive (LCMD). 3\n\n      Both the SDLC and ITIM tasks and deliverables generally follow the\nprogression of IT projects chronologically. Under both, studies and research,\nsuch as alternatives analyses, feasibility studies, risk analyses, and market\nresearch for possible solutions, are performed early in the life of a system as\nthe basis for selecting the best alternative and preparing the business case\nfor the project. Major plans of all types, such as project management plans\nand quality assurance plans, are developed after the selected approach has\nbeen authorized. Post-implementation reviews, in-process review reports,\nand user satisfaction reviews are types of evaluations that occur after an IT\nsystem has been implemented or a project has been terminated. We used\nthis chronological approach to identify and organize the studies, research,\nplans, and evaluations that are addressed in this audit.\n\n       This chronological approach is qualified by the evolutionary nature of\nthe entire life-cycle process. As projects evolve to become more defined\nover time, plans should also become more defined. The life cycle of\nidentifying business needs, selecting best alternatives, determining which IT\ninvestments should be added to and continued in the Department\xe2\x80\x99s portfolio,\nacquiring and building solutions, and evaluating the results is intended to be\niterative and ongoing. Both the SDLC and ITIM also require various types of\nongoing evaluations to occur regularly as decision points are reached during\nthe course of IT projects.\n\n\n\n       3\n          ITIM processes help identify needed IT projects, select new projects, and track\nand oversee project costs and schedules. The LCMD is the FBI\xe2\x80\x99s systems development life\ncycle guidance defining IT project management procedures and documentation\nrequirements.\n\n\n\n                                            iv\n\x0cDepartment IT Studies, Plans, and Evaluations\n\n        Two comprehensive IT plans for the Department are required by Office\nof Management and Budget (OMB) standards: the Department\xe2\x80\x99s IT Capital\nPlan and IT Strategic Plan. The IT Capital Plan, Agency IT Investment\nPortfolio, described in the second of the OIG\xe2\x80\x99s three IT reports, represents\nthe Department\xe2\x80\x99s inventory of major IT investments. For this audit, we\nreviewed the Department\xe2\x80\x99s IT Strategic Plan, which is described in Finding 1\nof this report. Components are also allowed to develop their own IT\nstrategic plans, as long as they are consistent with the Department\xe2\x80\x99s plan. 4\nFive of the components we reviewed had developed their own IT strategic\nplans. The IT strategic plans are listed in Appendix III of this report. All\nother documents described in Finding 1, \xe2\x80\x9cStudies, Plans, and Evaluations,\xe2\x80\x9d\nwere prepared in response to standards associated with each system or\ninitiative.\n\n       Studies required by the various standards for IT activities and\ndocuments associated with each IT system or project are generally prepared\nearly in the life cycle of an IT project to identify and evaluate possible\nalternative solutions to meet a business need. The studies include market\nresearch, alternative analyses, feasibility studies, cost-benefit analyses (or\nbenefit-cost analyses), risk analyses, and privacy impact assessments.\n\n      The plans specified by the Department\xe2\x80\x99s SDLC for each IT system or\nproject include many types that are developed after an alternative solution\nhas been selected. These include the following plans.\n\n    \xe2\x80\xa2       risk management                        \xe2\x80\xa2   validation and verification\n    \xe2\x80\xa2       acquisition                            \xe2\x80\xa2   testing\n    \xe2\x80\xa2       project management                     \xe2\x80\xa2   conversion\n    \xe2\x80\xa2       system security                        \xe2\x80\xa2   implementation\n    \xe2\x80\xa2       systems engineering management         \xe2\x80\xa2   training\n    \xe2\x80\xa2       configuration management               \xe2\x80\xa2   contingency\n    \xe2\x80\xa2       quality assurance                      \xe2\x80\xa2   disposition\n\n      For evaluations, we requested reports of evaluations specified in the\nSDLC, such as post-implementation review reports, in-process review\nreports, and user satisfaction review reports. Post-implementation reviews\nare conducted after a system has been in production for a period of time and\nare used to evaluate the effectiveness of the system development. The\n\n\n        4\n         DOJ Order 2880.1B, Information Resources Management Program, allows, but\ndoes not require, components to develop their own IT strategic plans.\n\n\n\n                                          v\n\x0creview should determine whether the system does what it was designed to\ndo, supports users as required, and was successful in terms of functionality,\nperformance, and cost benefit. It should also assess the effectiveness of the\ndevelopment activities that produced the systems. The review results\nshould be used to strengthen the systems as well as system development\nprocedures. In-process reviews are performed during operations and\nmaintenance to assess system performance and user satisfaction, and\nshould occur repeatedly after a system has been implemented to ensure the\nsystem continues to meet needs and perform effectively.\n\n        Components submitted more than 800 items that we accepted as\nresponsive to our requests. Of the 800 items, 494 were entire documents\nwe categorized as studies, plans, and evaluations, which we included in our\nlist of documents. The other items submitted by components were artifacts\nor other products of the system development and acquisition process.\nArtifacts included items such as briefing slides, spreadsheets showing\nschedules and work breakdown structures, and various progress reports.\nThe studies, plans, and evaluations are listed in Appendix V to this report.\n\n      While many of the documents specified in various guidelines were\nproduced, significant gaps existed between the studies, plans, and\nevaluations described in the guidelines and what was prepared by the\ncomponents. Only seven post-implementation evaluations were obtained, of\nwhich four did not reflect lessons learned in terms of project planning and\nmanagement.\n\n      We found the highest levels of compliance in the areas of business\ncase documents, which become part of the Department\xe2\x80\x99s annual budget\nprocess and are required to obtain funding for each system or project, and\nsecurity plans, which are required for projects to obtain authorization to\noperate. The components provided at least one business case document for\n36 of the 38 systems in the inventory. The two exceptions, the FBI\xe2\x80\x99s\nInvestigative Data Warehouse (IDW) and Secure Compartmented\nInformation Operational Network (SCION), are included in an \xe2\x80\x9cumbrella\xe2\x80\x9d\nbusiness case that represents the Department\xe2\x80\x99s consolidated enterprise\ninfrastructure (CEI). The business case document represents the single\ndocument type for which we found 100 percent compliance.\n\n       System security plans also had a high level of compliance. We\nobtained system security plans for 32 of the 38 projects. The six other\nprojects were either too early in the life cycle for preparation of this\ndocument, or a draft security plan was undergoing review. Components also\ndemonstrated a high level of compliance with privacy impact assessments\n(PIA), and we found acceptable explanations for the projects that did not\n\n\n                                     vi\n\x0csubmit a PIA. Components provided project management plans for 29 of the\n38 projects, and explained all but one of those exceptions.\n\n       However, we found compliance in the areas of systems engineering\nmanagement, configuration management, quality assurance, validation and\nverification, and training plans was significantly lower. The components\ncited several different reasons for not providing documents relating to these\nissues that we requested. The reasons included: (1) the requirement was\nnot applicable to the investment; (2) a waiver to the requirement had been\ngranted; (3) planning for the system pre-dated FY 2000 and the\ndocumentation was not available; (4) the system was purchased\ncommercially off-the-shelf eliminating the need for certain processes; and\n(5) the investment had not reached the applicable point in the life cycle.\n\n      Department oversight is designed to focus on the capital planning and\ninvestment control (CPIC) process concerned with selecting and prioritizing\nIT investments. According to JMD officials and DOJ Order 2880.1b,\nDepartment oversight is not designed to enforce policies and procedures on\ndocumentation. 5 JMD officials told us they do not perform independent\nreviews of the other components\xe2\x80\x99 IT projects, nor do they receive major\nstudies, plans, and evaluations from the components to review. The\nDepartment-level oversight of major IT projects is performed through\npresentations to the Department\xe2\x80\x99s Investment Review Board, the CIO\xe2\x80\x99s\nDashboard report, and through the OMB exhibit 300s, all of which are\ndescribed in the second report in this series. This allows some tracking of\nactual performance against scheduled milestones and costs, but does not\ninvolve JMD officials in the details of IT documentation for individual\nprojects.\n\n      Based on the limited number of certain types of plans and evaluations\nproduced on these major systems and projects, we recommend that the CIO\nevaluate why project teams do not prepare certain plans and evaluations,\nreassess the utility of those documents, and consider revising the standards\nfor producing IT studies, plans, and evaluations for individual IT projects.\n\n       Many standards exist that define the types of studies, plans, and\nevaluations that should be performed for individual projects. The standards\nallow significant flexibility through waivers of document requirements and\ntailoring of the processes. For example, the SDLCs and FBI\xe2\x80\x99s LCMD\nencourage tailoring the documentation standards to the size and complexity\nof the project. Although the SDLCs specify many studies, plans, and\n\n      5\n          The CIO does have specific responsibilities to enforce security standards.\n\n\n\n                                             vii\n\x0cevaluations for all types of projects in the tailoring guidelines, we found that\nmany Department projects have not generated these \xe2\x80\x9crequired\xe2\x80\x9d documents.\nIt is possible that the standards are not necessarily appropriate to different\ntypes of projects or acquisitions and should be revised. The Department\nshould exercise increased oversight of the tailoring being done, and consider\nrevising the guidelines for tailoring the work pattern for specific types of\nprojects.\n\nIT Planning Problems\n\n       To identify problems the Department has experienced in planning for\nIT systems and projects, we reviewed previous OIG audits and other reports.\nWe also reviewed the evaluations we obtained from the components to help\nidentify problems the Department has experienced in planning for IT\nsystems.\n\n      We asked components for information on IT projects that had failed or\nbeen terminated. Other than one portion of the FBI\xe2\x80\x99s Trilogy project and the\nFBI\xe2\x80\x99s Laboratory Information Management System (LIMS) project, the\ncomponents told us they were not aware of failed or terminated projects.\nThe OIG found during work on the second report in this series that JMD\xe2\x80\x99s\nJustice Consolidated Office Network (JCON) project had experienced a\nproject termination sometime before FY 2002 prior to the current project.\nJMD, however, was not able to provide any information about the failure.\nThe fact that no evaluation was performed to assess reasons for the failure\nsuggests a serious gap in standards for evaluations. Terminated projects\nshould be evaluated to determine the causes of the problems.\n\n       We also found that the Department had produced few evaluations of\nproject management or success for IT projects in post-implementation\nreviews. According to the DOJ SDLC, one purpose of post-implementation\nreviews is to assess the effectiveness of the life-cycle development activities\nthat produced the system. This includes analyzing if proper limits were\nestablished in the feasibility study and if the limits were maintained during\nimplementation, addressing the reasons for variances between planned and\nrealized benefits, addressing the reasons for differences between estimated\nand actual costs, and evaluating whether training was adequate,\nappropriate, and timely. The review results are intended to be used to\nstrengthen the system development procedures, as well as the system itself.\n\n      The DOJ ITIM Guide calls for continuous monitoring of investments to\nassess progress against established cost, schedule, and performance metrics\nin order to mitigate any risks or costs on an on-going basis. The DOJ ITIM\nGuide also indicates that the activities of the evaluation phase include\n\n\n                                      viii\n\x0capplying lessons learned from post-implementation reviews and periodic\noperational analyses for ITIM process improvement. The lessons learned for\nITIM process should be incorporated into the select and control phases for\nfuture IT investments.\n\n      The OIG has issued audit and inspection reports about IT systems and\nproject management that have focused on various IT concerns. These\ninclude the management and progress of individual IT projects, IT\nmanagement in general, the performance of individual systems following\nimplementation, system security, and system controls in financial\nmanagement systems. Appendix VII lists prior OIG audits and inspections\non IT issues that we reviewed for this analysis.\n\n      Among the problems that have been described in previous audit\nreports related to IT planning were weaknesses in investment and program\nmanagement practices, business process re-engineering (BPR), cooperation\nbetween agencies, and contract management. BPR is defined as the\nredesign of the organization, culture, and business processes using\ntechnology as an enabler to achieve significant improvements in cost, time,\nservice, and quality.\n\n      For example, various contracting and program management\nweaknesses contributed to the failure of the FBI\xe2\x80\x99s Virtual Case File (VCF)\nproject. The FBI did not effectively oversee the contract and failed to\nestablish firm milestones to be achieved before the project could move to\nthe next phase. In the FBI\xe2\x80\x99s LIMS project, the OIG found that firmly\nmanaged schedule, cost, technical, and performance benchmarks for the\ncontract would have raised warning signs earlier in the project and perhaps\nled to resolution of the problems encountered. 6\n\n      The DOJ System Development Life Cycle Guidance Document indicates\nthat business process re-engineering (BPR) should be the underpinning of\nany new system development or initiative, as part of strategic planning for\ninformation systems, and that agencies should consider BPR before\nrequesting funding for a new project or system development effort.\nHowever, reviews have raised issues related to weaknesses in business\nprocess re-engineering in the planning of the Department\xe2\x80\x99s IT projects. One\nstudy of the FBI\xe2\x80\x99s terminated VCF project found that senior managers were\nnot involved in efforts to re-engineer business processes or in rethinking the\nFBI\xe2\x80\x99s use of IT, and that while users working on the re-engineering were\n\n      6\n        The FBI\xe2\x80\x99s Laboratory Information Management System (LIMS) project contract\nwas terminated after the FBI determined the system would not be able to meet security\nrequirements. See the discussion in Finding 2.\n\n\n\n                                           ix\n\x0cexperienced agents, none had experience with complex IT development\nprojects or business process re-engineering.\n\n      Requirements planning is another area that has been cited as weak in\nspecific audit reports. For example, the LIMS project was terminated in large\npart due to problems with the security requirements of the system, which\nwere not fully defined early in the project. The LIMS Request for Proposal\n(RFP) had required security to be part of the system, but the FBI\nstrengthened its security requirements after the contract award following\nhigh-profile espionage-related security breaches in the FBI. The audit found\nthat the FBI had failed to document security requirements adequately and,\nto the extent the security requirements evolved, did not clarify those\nchanges through contract modifications.\n\nConclusion\n\n      This audit sought to identify research, plans, studies, and evaluations\nthat the Department has produced or is in the process of producing\nconcerning IT systems, needs, plans, and initiatives. In addition, we\nanalyzed the depth and scope of the problems the Department has\nexperienced in the formulation of its IT plans.\n\n      Components submitted 494 documents that we categorized as studies,\nplans, and evaluations, related to federal, Department, and component-\nspecific requirements and standards. Many of the documents specified in\nvarious criteria were produced, but significant gaps existed between the\nstudies, plans, and evaluations described in criteria and what was prepared.\n\n      We found the highest levels of compliance in the areas of business\ncase documents, which become part of the Department\xe2\x80\x99s annual budget\nprocess and are required to obtain funding for each system or project, and\nsecurity plans, which are required for projects to obtain authorization to\noperate. The components provided at least one business case document for\n36 of the 38 systems in the inventory. The two exceptions, the FBI\xe2\x80\x99s\nInvestigative Data Warehouse (IDW) and Secure Compartmented\nInformation Operational Network (SCION), are included in an \xe2\x80\x9cumbrella\xe2\x80\x9d\nbusiness case that represents the Department\xe2\x80\x99s consolidated enterprise\ninfrastructure (CEI).\n\n       System security plans also had a high level of compliance. We\nobtained security plans for 32 of the 38 projects. The six other projects\nwere either too early in the life cycle for preparation of this document, or a\ndraft security plan was undergoing review. Components also demonstrated\na high level of compliance with privacy impact assessments (PIA), and we\n\n\n                                       x\n\x0cfound acceptable explanations for the projects that did not submit a PIA.\nComponents also provided project management plans for 29 of the 38\nprojects, and explained all but one of those exceptions.\n\n       However, we found compliance in the areas of systems engineering\nmanagement, configuration management, quality assurance, validation and\nverification, and training plans was significantly lower. In addition,\ncomponents provided only seven post-implementation review reports.\n\n     Prior OIG reports have identified planning problems on individual\nsystems and projects that include weaknesses in business process re-\nengineering, requirements planning, cooperation between agencies, and IT\nprogram and contract management. These weaknesses have contributed to:\n\n  \xe2\x80\xa2   project re-starts, cost increases, and delays in the FBI\xe2\x80\x99s\n      implementation of a case management system,\n\n  \xe2\x80\xa2   the termination of the FBI\xe2\x80\x99s LIMS project,\n\n  \xe2\x80\xa2   delays in implementing an interoperable fingerprint identification\n      system that can be used by both the Department and federal\n      immigration authorities, and\n\n  \xe2\x80\xa2   data integrity problems in the TSC database.\n\n       We originally planned to use evaluations we obtained from\ncomponents to identify problems the Department has experienced in\nplanning for IT systems. This was not possible because the Department has\nproduced so few evaluations of project management for either successful or\nfailed IT projects, with the exception of two terminated projects in the FBI.\n\n      In this report, we made five recommendations to the Department,\nsuch as recommending that the Department evaluate why project teams do\nnot prepare certain plans and evaluations, reassess the utility of those\ndocuments, and consider revising the standards for producing IT studies,\nplans, and evaluations for individual IT projects. We also recommend that\nthe Department consider revising the guidelines for tailoring the work\npattern for specific types of projects. Additional recommendations focus on\nimproving the evaluation of IT project management in the Department and\nimproving business process re-engineering, and contract management and\noversight. We believe the Department should ensure that evaluations are\nperformed on both implemented systems and terminated projects that focus\non lessons learned on planning and project management issues.\n\n\n\n                                       xi\n\x0ci\n\x0c                                      Table of Contents\n\n\nINTRODUCTION .................................................................................. 1\n\n  Background ..................................................................................... 1\n  Major Systems ................................................................................. 2\n  Information Technology Organizations................................................. 4\n  Standards for IT Studies, Plans, and Evaluations................................... 7\n  IT System Life-Cycle Concepts ......................................................... 11\n  Audit Approach .............................................................................. 14\n\nFINDINGS AND RECOMMENDATIONS ................................................... 16\n\nFinding 1: Studies, Plans, and Evaluations ........................................... 16\n\n  Inventory of Studies, Plans, and Evaluations ...................................... 16\n  The Department of Justice IT Strategic Plan ....................................... 22\n  Component IT Strategic Plans .......................................................... 23\n  IT System and Project Documents .................................................... 24\n  Studies ......................................................................................... 26\n  Plans ............................................................................................ 31\n  Evaluations.................................................................................... 40\n  Conclusion..................................................................................... 41\n  Recommendations .......................................................................... 42\n\nFinding 2: IT Planning Problems ......................................................... 43\n\n  Business Process Re-engineering and Requirements Weaknesses .......... 44\n  Cooperation Between Agencies......................................................... 46\n  Contract Management Weaknesses ................................................... 48\n  IT Program Management ................................................................. 49\n  Post-Implementation Evaluations...................................................... 51\n  Conclusion..................................................................................... 53\n  Recommendations .......................................................................... 53\n\nSTATEMENT ON INTERNAL CONTROLS ................................................. 54\n\x0cAPPENDIX I - OBJECTIVES, SCOPE, AND METHODOLOGY ....................... 55\n\nAPPENDIX II - ACRONYMS.................................................................. 57\n\nAPPENDIX III - IT STRATEGIC PLANS................................................... 61\n\nAPPENDIX IV - COMPLIANCE MATRIX................................................... 62\n\nAPPENDIX V - DOCUMENTS AND OTHER ARTIFACTS .............................. 74\n\nAPPENDIX VI - SYSTEM SUMMARIES.................................................. 101\n\nAPPENDIX VII - PRIOR OIG REPORTS................................................. 161\n\nAPPENDIX VIII - DEPARTMENT\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT ...... 165\n\nAPPENDIX IX - INSPECTOR GENERAL ANALYSIS AND SUMMARY OF ACTIONS\nNECESSARY TO CLOSE REPORT ........................................................ 168\n\x0c                                   INTRODUCTION\n\nBackground\n\n        This report is the final in a series of three reports prepared by the\nDepartment of Justice (Department) Office of the Inspector General (OIG) in\nresponse to a congressional request included in the Department\xe2\x80\x99s\nappropriation for fiscal year (FY) 2006. Specifically, Congress instructed the\nOIG to present to the Committees on Appropriations: (1) an inventory of all\nmajor Department information technology (IT) systems and planned\ninitiatives, and (2) a report that details all research, plans, studies, and\nevaluations that the Department has produced, or is in the process of\nproducing, concerning IT systems, needs, plans, and initiatives. Congress\nrequested that the OIG include an analysis identifying the depth and scope\nof problems the Department has experienced in the formulation of its IT\nplans.\n\n      The OIG\xe2\x80\x99s first report, issued in March 2006, presented an unverified\ninventory of the Department\xe2\x80\x99s major IT investments based on information\nreported to the Office of Management and Budget (OMB) for budget\npurposes. 7 The inventory contained 46 major investments, each with\nprojected costs at or exceeding $15 million for FYs 2005 through 2007.\n\n      The second report, issued in June 2007, presented the refined\ninventory of major systems according to criteria developed by the OIG,\nreducing the number of major systems to 38. 8 The second report also\nexamined issues related to verifying cost information about the 38 systems.\n\n      This third and final report addresses the request for the OIG to\nprepare a report that details the research, plans, studies, and evaluations\nrelated to the Department\xe2\x80\x99s information technology initiatives. We used the\nrefined inventory of major systems presented in the second report to focus\nour work for this current report. This report also includes an analysis of\nproblems related to IT planning that have been identified in previous OIG\nreports.\n\n       7\n         Department of Justice, Office of the Inspector General, Inventory of Major\nDepartment of Justice Information System Investments as of Fiscal Year 2006, Audit Report\nNo. 06-25, March 2006.\n       8\n         Department of Justice, Office of the Inspector General, Identification and Review\nof the Department\xe2\x80\x99s Major Information Technology Systems Inventory, Audit Report\nNo. 07-37, June 2007.\n\n\n                                             1\n\x0cMajor Systems\n\n      We generally focused our audit on the 38 major systems and initiatives\nthat were identified in the refined OIG inventory, which are shown in\nFigure 1, listed by the component within the Department that is responsible\nfor each system. 9 The components are the:\n\n   \xe2\x80\xa2   Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF)\n\n   \xe2\x80\xa2   Bureau of Prisons (BOP)\n\n   \xe2\x80\xa2   Drug Enforcement Administration (DEA)\n\n   \xe2\x80\xa2   Executive Office for Immigration Review (EOIR)\n\n   \xe2\x80\xa2   Federal Bureau of Investigation (FBI)\n\n   \xe2\x80\xa2   Justice Management Division (JMD)\n\n   \xe2\x80\xa2   Office of the Deputy Attorney General (ODAG)\n\n   \xe2\x80\xa2   Office of Justice Programs (OJP)\n\n\n\n\n       9\n         For our analysis of problems the Department has experienced with planning for IT\nsystems, we included a few additional systems and projects for which we had information\nabout project termination or other problems. These are introduced in Finding 2.\n\n\n                                            2\n\x0c                                    Major Systems and Projects\n     Figure 1\n                      System or\n      Component                                             Full Title\n                       Project\n           ATF          NIBIN         National Integrated Ballistics Information Network\n           BOP           ITS II       Inmate Telephone System II\n           DEA         Concorde       Concorde\n           DEA          E-Com         Electronic Commerce\n           DEA             EIS        El Paso Intelligence Center (EPIC )Information Systems\n           DEA         Firebird       Firebird\n           DEA           M204         Model 204 Corporate Systems\n           DEA          Merlin        Merlin\n           EOIR         eWorld        eWorld\n            FBI         BRIDG         Biometric Reciprocal Identification Gateway\n            FBI       CARTSAN         Computer Analysis Response Team Storage Area Network\n            FBI         CODIS         Combined DNA Index System\n            FBI           DCS         Digital Collection System\n            FBI           DCU         Data Centers Unit\n            FBI         EDMS          Electronic Surveillance (ELSUR) Data Management System\n            FBI         FTTTF         Foreign Terrorist Tracking Task Force\n            FBI          IAFIS        Integrated Automated Fingerprint Identification System\n            FBI           IATI        Information Assurance Technology Infusion\n            FBI           IDW         Investigative Data Warehouse\n            FBI           LEO         Law Enforcement Online\n            FBI          NCIC         National Crime Information Center\n            FBI         N-DEx         Law Enforcement National Data Exchange\n            FBI           NGI         Next Generation Identification\n            FBI          NICS         National Instant Criminal Background Check System\n            FBI         R-DEx         Regional Data Exchange\n            FBI         SCION         Secure Compartmented Information Operational Network\n            FBI       SENTINEL        Sentinel\n            FBI          SMIS         Security Management Information System\n            FBI           TRP         Technical Refreshment Program\n            FBI           TSC         Terrorist Screening Center\n           JMD           CITP         Classified Information Technology Program\n           JMD            IWN         Integrated Wireless Network\n           JMD           JCON         Justice Consolidated Office Network\n           JMD          LCMS          Litigation Case Management System\n           JMD             PKI        Public Key Infrastructure\n           JMD          UFMS          Unified Financial Management System\n                               10     Organized Crime Drug Enforcement Task Force (OCDETF)\n           ODAG          OFC          Fusion Center System\n           OJP           JGMS         Justice Grants Management System\n      Source: Office of the Inspector General\n\n      10\n           In the previously issued OIG report on Identification and Review of the\nDepartment\xe2\x80\x99s Major Information Technology Systems Inventory, which provides information\non the cost of the Department\xe2\x80\x99s major IT systems, we included the OFC as part of the DEA\nbecause the DEA\xe2\x80\x99s unobligated funds developed the OFC. However, in this report we\ninclude the OFC as part of the ODAG because the system actually resides in that office.\n\n\n                                                 3\n\x0c        These systems represent a wide range of types of systems and\ninitiatives, including efforts to acquire infrastructure, implement\ncommunications networks, and build application programs to support\nbusiness transactions. For example, the DEA\xe2\x80\x99s Firebird project is providing\ninfrastructure network equipment which allows DEA staff to use various\nautomated programs. Its Concorde project is intended to update and\ntransition older applications that currently run on older hardware and\ndatabase platforms to newer platforms. OJP\xe2\x80\x99s Litigation Case Management\nSystem project is a major new development effort designed to build an\nenterprise case management system that will serve as an infrastructure for\nthe sharing of case-related information within and between the Department\xe2\x80\x99s\ncomponents and United States Attorneys Offices.\n\n      The systems we reviewed are also in various stages of development\nand operation. Some of the systems have been in steady-state operational\nstatus for many years. Others are new development or in a mixed life-cycle\nphase, meaning the system is operational with significant modifications or\nenhancements being implemented. These variations affect which studies,\nplans, and evaluations have been or should have been prepared.\n\n      The OMB budget process grants agencies significant flexibility in\ndefining what needs to be reported as an \xe2\x80\x9cIT investment\xe2\x80\x9d for budget\npurposes. Most of the system titles in Figure 1 represent single information\nsystems, but others, such as the DEA\xe2\x80\x99s EIS and the FBI\xe2\x80\x99s FTTTF represent\nprograms that include multiple information systems. JMD\xe2\x80\x99s Public Key\nInfrastructure (PKI) project is an initiative that will affect access to many\nother systems in the Department by specifying access controls. A brief\nsummary on each system or project is found in Appendix VI, along with a list\nof the studies, plans, and evaluations we obtained associated with the\nproject.\n\nInformation Technology Organizations\n\n      Our work involved the Department\xe2\x80\x99s Office of the Chief Information\nOfficer and the eight Department components or offices listed on page 2.\n\n\n\n\n                                     4\n\x0cOffice of the Chief Information Officer (OCIO)\n\n      The Deputy Assistant Attorney General for Information Resources\nManagement (DAAG/IRM), who reports to the Assistant Attorney General for\nAdministration, serves as the Department\xe2\x80\x99s Chief Information Officer (CIO).\nThe CIO\xe2\x80\x99s responsibilities include establishing and implementing\nDepartment-wide IT policies and standards, developing the Department\xe2\x80\x99s IT\nStrategic Plan, and reviewing and evaluating the performance of Department\nIT programs and projects. In his role as the DAAG/IRM, the CIO leads the\nInformation Resources Management (IRM) function of the Justice\nManagement Division (JMD).\n\nJustice Management Division\n\n       JMD provides administrative services to the Department, including\nthose related to human resources, controller activities, and IT systems and\nsupport. In the area of IT, JMD serves a central role for the Department for\npolicy, planning, monitoring, and services. DOJ Order 2880.1B, Information\nResources Management Program, September 27, 2005, requires the CIO, in\nhis role as the DAAG/IRM, to deliver IT services to the Department through\nthe JMD. 11\n\n       JMD developed and operates many systems that serve more than one\ncomponent in the Department, and it owns six of the major systems in our\ninventory. JMD is responsible for overseeing the development and\nimplementation of the Unified Financial Management System, which is\nintended to consolidate financial reporting for all of the Department\xe2\x80\x99s\ncomponents and replace six different financial management systems. The\nLitigation Case Management System will serve seven litigating divisions of\nthe Department and will implement a common case management\narchitecture for future projects. The Integrated Wireless Network project is\nintended to provide a consolidated, nationwide federal wireless\ncommunications service that will replace standalone systems in various\ncomponents. The Justice Consolidated Office Network seeks to provide a\nreliable common office automation platform upon which 16 of the\nDepartment\xe2\x80\x99s litigating, management, and law enforcement components\noperate mission-critical applications. Under the Classified Information\nTechnology Program, the Department will develop a classified Enterprise\nArchitecture, an initial operational infrastructure, and an operations and\n\n       11\n          A DOJ Order is a type of directive used to issue Departmental policy and direction\nfor administrative matters.\n\n\n                                             5\n\x0cmaintenance model for processing classified information. 12 The Department\nhas also established a Public Key Infrastructure project to enhance access\nsecurity for existing applications and services. The enhanced security will\nsupport communications between Department staff and federal, state, and\nlocal government agencies.\n\n       Within the OCIO, the CIO-DAAG/IRM leads five staffs: (1) Policy and\nPlanning, (2) Electronic Government Services, (3) Information Technology\nSecurity, (4) Operations Services, and (5) Enterprise Solutions. Of the six\nsystems and projects in the refined inventory for which JMD is responsible,\nfive are the responsibility of the OCIO. The following four projects are\nassigned to the Enterprise Solutions Staff:\n\n       \xe2\x80\xa2    Classified Information Technology Program,\n\n       \xe2\x80\xa2    Justice Consolidated Network,\n\n       \xe2\x80\xa2    Litigation Case Management System, and\n\n       \xe2\x80\xa2    Public Key Infrastructure Project.\n\nThe Integrated Wireless Network project is assigned to the Electronic\nGovernment Services Staff. The Office of the Controller, which is not a part\nof the IRM office, is responsible for the sixth JMD project, the Unified\nFinancial Management System.\n\nComponent IT Organizations\n\n       Components in the Department are responsible for:\n\n   \xe2\x80\xa2   providing information on their investments as requested by the\n       Department\xe2\x80\x99s CIO;\n\n   \xe2\x80\xa2   demonstrating that resources are being well-spent and managed;\n\n   \xe2\x80\xa2   demonstrating that risks are being properly addressed;\n\n\n\n       12\n            Enterprise Architecture (EA) is a blueprint that explains and guides how an\norganization\xe2\x80\x99s IT and information management elements work together to accomplish the\nmission of the organization. An EA addresses business activities and processes, data sets\nand information flows, applications and software, and technology.\n\n\n                                             6\n\x0c   \xe2\x80\xa2    developing an acquisition strategy for all major IT projects;\n\n   \xe2\x80\xa2    implementing security policies and guidelines, and\n\n   \xe2\x80\xa2    using the methodology in the Department\xe2\x80\x99s Systems Development Life\n        Cycle Guidance Document for all information systems and applications,\n        tailored to individual projects.\n\n      Each of the components responsible for one of the major IT systems in\nthe OIG\xe2\x80\x99s refined inventory has its own CIO and IT organization, with the\nexception of the ODAG. Many of the initiatives in the refined inventory were\nmanaged out of the CIO\xe2\x80\x99s offices identified in Figure 2, although some were\nmanaged by other offices within the component.\n\n                          Chief Information Officers and Organizations\nFigure 2\n                 # Systems\n Component                               Organization                       CIO Reports to\n                in Inventory\n                                                                  Assistant Attorney General for\n JMD                  6        Information Resources Management\n                                                                  Administration\n ATF                  1        Office of Science and Technology   Deputy Director\n                               Office of the Chief Information    Assistant Director for Information,\n BOP                  1\n                               Officer                            Policy, & Public Affairs Division\n DEA                  6        Office of Information Systems      Deputy Administrator\n                               Office of Planning, Analysis &\n EOIR                 1                                           Assistant Director\n                               Technology\n                               Office of the Chief Information\n FBI                 21                                           Associate Deputy Director\n                               Officer\n                               Office of the Chief Information\n OJP                  1                                           Deputy Assistant Attorney General\n                               Officer\nSource: Department of Justice components. (There is also one system in the ODAG, which does not\nhave a CIO.)\n\nStandards for IT Studies, Plans, and Evaluations\n\n      Numerous federal, Department, and component-level guidelines\nestablish criteria for IT research, studies, plans, and evaluations. The\nguidelines come from both IT and budget authorities, and may apply to the\nDepartment as a whole or to individual components such as the DEA or FBI.\nWhile the various standards should complement one another, the compliance\nenvironment is complex and involves strategic planning, IT development\nmethodologies, IT investment management, enterprise architecture,\nprocurement, and budgeting. Additionally, many standards exist as\nguidelines rather than requirements, thereby allowing needed flexibility\n\n\n\n                                                 7\n\x0cdepending on the specific characteristics (type, size, scope, status) of each\nproject.\n\nFederal IT Standards\n\n       The Information Technology Management Reform Act (ITMRA) of\n1996, also known as the Clinger-Cohen Act, P.L. 104-106, February 1996,\nrequires federal agencies to improve the acquisition, use, and disposal of\ninformation technology by implementing a capital planning and investment\ncontrol (CPIC) process that links to budget formulation and execution. 13 The\nprocess is intended to maximize the value, and assess and manage the\nrisks, of IT acquisitions. This Act also requires agencies to focus information\nresource planning to support their strategic missions and to rethink and\nrestructure the way they do their work before investing in information\nsystems.\n\n      OMB Circular A-130, Management of Federal Information Resources,\nrevised November 2000, establishes policy for the management of federal\ninformation resources, based on several laws, including the Clinger Cohen\nAct. The Circular assigns responsibilities to various agencies and establishes\nstandards for the CPIC process. The CPIC process is intended to include all\nstages of capital programming, including planning, budgeting, procurement,\nmanagement, and assessment. It requires information resource\nmanagement Strategic Plans, which are strategic in nature, and IT Capital\nPlans, which are operational in nature. The IT Capital Plans are submitted to\nOMB with agency budget submissions annually, and are required to include\nthe IT Capital Asset Plans for major information systems or projects.\n\n      The OMB also publishes guidelines governing budget submissions each\nyear that influence IT planning and documentation. OMB Circular A-11,\nPreparation, Submission, and Execution of the Budget, June 2006,\nestablishes detailed standards for the IT Capital Plans to be submitted for\neach budget year. Two main exhibits are submitted with the Department\xe2\x80\x99s\nbudget each year representing the Department\xe2\x80\x99s IT Capital Plan. Under the\nCircular\xe2\x80\x99s Part 2, Preparation and Submission of Budget Estimates,\nSection 53, Information Technology and e-Government, federal agencies are\nrequired to submit an Agency IT Investment Portfolio, called the OMB\n\n\n\n\n       13\n           The Clinger-Cohen Act is Division E of the National Defense Authorization Act for\nFiscal Year 1996.\n\n\n                                              8\n\x0cexhibit 53, which is a table of basic information about each major IT\ninvestment. Section 53 also requires the submission of Privacy Impact\nAssessments (PIA), one of the studies we have included in our audit.\n\n      Circular A-11\xe2\x80\x99s Part 7, Section 300, Planning, Budgeting, Acquisition,\nand Management of Capital Assets, requires agencies to provide an IT\nCapital Asset Plan and Business Case (exhibit 300) for each major IT\ninvestment that is included in the portfolio. This part also generally\nestablishes policy for planning, budgeting, acquiring, and managing federal\ncapital assets, and provides instructions on budget justification and reporting\nrequirements for major information technology investments. Each exhibit\n300 is required to contain information demonstrating compliance with OMB\xe2\x80\x99s\nCPIC policies and with OMB Circular A-130 and E-Gov related policy\nmemoranda. Agencies justify new or continued funding for major\nacquisitions by demonstrating on exhibits 300:\n\n   \xe2\x80\xa2   a direct connection to the agency\xe2\x80\x99s strategic plan,\n\n   \xe2\x80\xa2   a positive return on investment for the selected alternative,\n\n   \xe2\x80\xa2   sound acquisition (program and procurement) planning,\n\n   \xe2\x80\xa2   comprehensive risk mitigation and management planning,\n\n   \xe2\x80\xa2   realistic cost and schedule goals, and\n\n   \xe2\x80\xa2   measurable performance benefits.\n\nIn addition, agencies are expected to document detailed information\nsubstantiating the portfolio of major investments in accordance with the\nagency\xe2\x80\x99s capital programming process.\n\n      The OMB\xe2\x80\x99s Capital Programming Guide, Supplement to OMB\nCircular A-11, Part 7, Planning, Budgeting, and Acquisition of Capital Assets,\nJune 2006, contains more detailed guidance to federal agencies about\npractices and lessons learned for more efficient project and acquisition\nmanagement of capital assets. It integrates various statutory and\nmanagement initiatives into a single, integrated capital programming\nprocess to ensure that capital assets successfully contribute to the\nachievement of agency strategic goals and objectives. Its purpose is to\nassist federal agencies in planning, procuring, and using capital assets to\nachieve the maximum return on investment.\n\n\n                                       9\n\x0c      Additionally, numerous laws and standards exist regarding specific\nfinancial systems, system security, enterprise architectures, electronic\naccess, and data quality. Because these standards focus on specific system\nrequirements rather than on IT planning and evaluation processes, we did\nnot use these as the basis for determining IT planning and evaluation\nrequirements, and they are not included in this report.\n\nDepartment Standards\n\n      The Department has implemented a number of standards that define\nIT processes and result in studies, plans, and evaluations. DOJ\nOrder 2880.1B, Information Resources Management Program,\nSeptember 2005, establishes the CIO\xe2\x80\x99s authority for issuing\nDepartment-wide IT policies, standards, and guidelines, and for reviewing\nand evaluating the performance of IT programs and projects.\n\n       The Department\xe2\x80\x99s Guide to the DOJ Information Technology\nInvestment Management (ITIM) Process (ITIM Guide), August 2001,\nimplemented the capital planning and investment control process that was\nrequired by the Clinger-Cohen Act. 14 The ITIM Guide integrates the\ninterrelated disciplines of strategic planning, performance planning, systems\nlife-cycle development, capital planning, security, architecture, and\nacquisition planning, and program management. Intended to complement\nthe Systems Development Life Cycle process already in place, it defines\ncriteria for \xe2\x80\x9cmajor\xe2\x80\x9d information systems in the Department and specifies a\nnumber of documents that should be produced as part of each phase of IT\nmanagement.\n\n       The Department\xe2\x80\x99s Systems Development Life Cycle (SDLC) Guidance\nDocument, revised January 2003, establishes life-cycle management\nprocedures, practices, and guidelines governing IT work within the\nDepartment. The guidance is intended to be used for all of the Department\xe2\x80\x99s\ninformation systems and applications, but is also intended to allow flexibility\nto suit the characteristics of particular development efforts. Tailoring\nstandards may be based on individual project cost, complexity, and criticality\nto the agency\xe2\x80\x99s mission. When a full sequential life-cycle pattern is not\nappropriate, the SDLC offers alternate work patterns for smaller or more\nlimited efforts, such as implementing commercial-off-the-shelf (COTS)\nproducts.\n\n       14\n          ITIM processes help identify needed IT projects, select new projects, and track\nand oversee project costs and schedules.\n\n\n                                            10\n\x0cComponent-Specific Standards\n\n      Each of the Department\xe2\x80\x99s components may establish its own life-cycle\nguidelines as long as they are consistent with the Department\xe2\x80\x99s standards.\nFor this audit, we found that the BOP, EOIR, and JMD use the Department\xe2\x80\x99s\nSDLC. The DEA and FBI developed their own life-cycle development\nmethodologies defining IT project management procedures and\ndocumentation requirements \xe2\x80\x93 the DEA System Development Life Cycle\n(DEA SDLC), March 2000, and the FBI Life Cycle Management Directive (FBI\nLCMD), August 2005, which was first implemented in November 2004. 15\n\n       The DEA SDLC closely follows the Department\xe2\x80\x99s life-cycle guidance in\nterms of the phases of development and documents described. The FBI\nLCMD is a more recent methodology and more closely resembles elements of\nthe CPIC process. Some of the documents required by the FBI LCMD are\nvirtually identical to aspects of the Capital Asset Plan and Business Case\n(exhibit 300) that is to be submitted to the OMB for each major IT\ninvestment. Details about the requirements under each methodology for the\nstudies, plans, and evaluations included in this audit are found in the\ndetailed discussion of each document type in Finding 1. All of the\nDepartment\xe2\x80\x99s components included in this audit allow some variation within\ntheir own IT development standards.\n\nIT System Life-Cycle Concepts\n\n      Projects can be expected to go through a process of identifying a\nbusiness need and alternative solutions for meeting the need, selecting the\nbest alternative, planning to acquire or build the solution, defining specific\nrequirements, and designing, building, testing, implementing, and evaluating\nthe implemented solution. The Department\xe2\x80\x99s SDLC Guidance Document\ndescribes 10 phases of IT work: initiation, concept development, planning,\nrequirements analysis, design, development, integration and test,\nimplementation, operations and maintenance, and disposition of information\nsystems within the Department. The SDLC specifies tasks and deliverables,\nincluding planning documents, to be created for each of the phases.\n\n       For different types of acquisitions and smaller-scope projects, the\nlife-cycle work pattern can be tailored to reduce the workload from a full\nsequential work pattern. Tailoring the work pattern may include dropping\n\n      15\n         The U.S. Marshals Service (USMS) also developed its own SDLC, but there were\nno USMS systems in the revised inventory used as the basis for this audit.\n\n\n                                          11\n\x0crequirements for specific tasks, studies, plans, and evaluations. The major\ntasks and deliverables for each SDLC phase are summarized in Figure 3.\n\n                              Systems Life Cycle Phases & Documents\nFigure 3\n    Phase                         Phase Description                                       Deliverables\n                 When a business need or opportunity is identified,\nInitiation       \xe2\x80\xa2 the business need is documented in the Concept             Concept Proposal\n                    Proposal.\n                 Once the Concept Proposal is accepted:\n                                                                              System Boundary Document\n                 \xe2\x80\xa2 approaches for accomplishing the concept are\nSystem Concept                                                                Cost Benefit Analysis\n                    reviewed for feasibility and appropriateness, and\nDevelopment                                                                   Feasibility Study\n                 \xe2\x80\xa2 the scope of the system is documented in the\n                                                                              Risk Management Plan\n                    System Boundary Document.\n                 When senior officials have approved the Boundary             Acquisition Plan\n                 Document and some funding:                                   Configuration Management Plan\n                 \xe2\x80\xa2 the concept is further developed to describe how           Quality Assurance Plan\n                    the business will operate once implemented, and to        Concept of Operations\nPlanning            assess impacts.                                           System Security Plan\n                 \xe2\x80\xa2 budget, resources, activities, schedules, tools, and       Project Management Plan\n                    reviews are defined.                                      Validation & Verification Plan\n                 \xe2\x80\xa2 system security requirements are identified and a          Systems Engineering Management\n                    high level vulnerability assessment is completed.         Plan\n                 \xe2\x80\xa2 All requirements (functional, data, system                 Functional Requirements Document\nRequirements        performance, security, maintainability) are               Test and Evaluation Master Plan\nAnalysis            formally defined to a level of detail sufficient for      Interface Control Document\n                    systems design to proceed.                                Privacy Impact Assessment\n                 \xe2\x80\xa2   Physical characteristics of the system are               Security Risk Assessment\n                     specified.                                               Conversion Plan\n                                                                              System Design Document\n                 \xe2\x80\xa2   Detailed logical specifications are prepared.\n                                                                              Implementation Plan\nDesign           \xe2\x80\xa2   Operating system environment is defined.\n                                                                              Maintenance Manual\n                 \xe2\x80\xa2   Major subsystems, inputs & outputs are defined.          Ops/System Administration Manual\n                 \xe2\x80\xa2   Subsystems are partitioned into design units or          Training Plan\n                     modules.                                                 User Manual\n                 \xe2\x80\xa2   Detailed specifications are translated into              Contingency Plan\n                     hardware, communications, and software                   Software Development Document\nDevelopment          programs.                                                System Application Software\n                 \xe2\x80\xa2   Software is unit tested, integrated, and retested.       Test Files/Data\n                 \xe2\x80\xa2   Hardware is assembled and tested.                        Integration Document\n                                                                              Test Analysis Report\n                 \xe2\x80\xa2   All components of the system (hardware, software,\nIntegration &                                                                 Test Analysis Approval Determination\n                     interfaces, operators, users, etc.) are integrated and\nTest                                                                          Test Problem Report\n                     tested.\n                                                                              Security Certification & Accreditation\n                                                                              Delivered System\n                 \xe2\x80\xa2   The system is installed and made operational in a        Change Implementation Notice\nImplementation\n                     production environment.                                  Version Description Document\n                                                                              Post-Implementation Review\n\n\n\n\n                                                       12\n\x0c    Phase                               Phase Description                                   Deliverables\n                       The operation is ongoing and continues as long as the\n                       system can be adapted effectively to respond to needs.\n                       \xe2\x80\xa2 The system is monitored for continued\nOperations &                                                                    In-Process Review Report\n                            performance with requirements.\nMaintenance                                                                     User Satisfaction Review Report\n                       \xe2\x80\xa2 Modifications are incorporated; the system may re-\n                            enter planning phase when modifications are\n                            identified as necessary.\n                       Phase ensures the orderly termination of the system\n                       and preserves system data and information about the      Disposition Plan\nDisposition            system.                                                  Post-Termination Review Report\n                       \xe2\x80\xa2 Data are migrated effectively to another system or     Archived System\n                            archived for future access.\nSource: Department of Justice Systems Development Life Cycle Guidance Document, January 2003\n\n      The Department\xe2\x80\x99s ITIM process describes three phases: Select,\nControl, and Evaluate. The DOJ ITIM Guide also defines major tasks and\ndeliverables associated with each of the three phases. The tasks and\ndeliverables focus on the investment management process in the\nDepartment, rather than on the details of each system or project. There is\nsome overlap between the SDLC and ITIM tasks and deliverables, but they\ndo not precisely coincide because the focus of each is different. The ITIM\nphases and deliverables are summarized in Figure 4.\n\n                                                 DOJ ITIM Process\nFigure 4\n              Phase                        Phase Description                       Selected Deliverables\n                                                                         Concept Proposal\n                                    Concept Development\n                                                                         Business Case Analysis\n                                    Business Case Analysis &             Initial Project Plan\n              Select\n                                    Investment Proposal Development\n                                                                         IT investment portfolio\n                                    Portfolio Prioritization/Budgeting   Annual briefing to CIO\n                                                                         Budget submission\n                                                                         Project Management Plan\n                                                                         Acquisition Plan\n                                    Project Planning                     Baseline milestones and measures\n                                                                         Earned value management system (EVMS) &\n                                                                         work breakdown structures (WBS) with\n                                                                         corresponding reporting mechanisms\n\n           Control                  Acquisition and Development          Executed contract\n                                                                         Progress reports\n                                                                         Periodic executive reviews/portfolio\n                                                                         assessments\n                                                                         Updated project documentation\n                                    Deployment\n                                                                         Periodic reviews to executives\n                                                                         Operational system successfully deployed\n\n\n                                                           13\n\x0c        Phase                  Phase Description                    Selected Deliverables\n                                                          Post Implementation Review Reports\n                         Management-In-Use\n                                                          Periodic Operational Analysis Reports\n        Evaluate                                          User Survey Results\n                         Retirement Planning & Disposal\n                                                          Asset Disposal and Data Conversion Plan\nSource: DOJ ITIM Guide\n\n      Both the SDLC and ITIM tasks and deliverables generally follow the\nprogression of IT projects chronologically. Under both, studies and research,\nsuch as alternatives analyses, feasibility studies, risk analyses, and market\nresearch for possible solutions are performed early in the life of a system as\nthe basis for selecting the best alternative and preparing the business case\nfor the project. Major plans of all types, such as project management plans\nand quality assurance plans, are developed after the selected approach has\nbeen authorized. Post-implementation reviews, in-process review reports,\nand user satisfaction reviews are types of evaluations that occur after an IT\nsystem has been implemented or a project has been terminated. We used\nthis chronological approach to identify and organize the studies, research,\nplans, and evaluations that are addressed in this audit.\n\n       This chronological approach is qualified by the evolutionary nature of\nthe entire life-cycle process. As projects evolve to become more defined\nover time, plans should also become more defined. The life cycle of\nidentifying business needs, selecting best alternatives, determining which IT\ninvestments should be added to and continued in the Department\xe2\x80\x99s portfolio,\nacquiring and building solutions, and evaluating the results is intended to be\niterative and ongoing. Both the SDLC and ITIM require multiple iterations of\nvarious documents, with updates as projects become more defined and\nchange over time. Both the SDLC and ITIM also require various types of\nongoing evaluations to occur regularly as decision points are reached during\nthe course of IT projects.\n\nAudit Approach\n\n      Our audit objectives were to: (1) identify all research, plans, studies,\nand evaluations that the Department has produced, or is in the process of\nproducing, concerning IT systems, needs, plans, and initiatives; and\n(2) analyze the depth and scope of the problems the Department has\nexperienced in the formulation of its IT plans.\n\n      We identified relevant federal, Department, and component-specific\nrequirements and standards for IT research, studies, plans, and evaluations,\nand merged the various standards into a generic set of requirements and\n\n                                              14\n\x0cstandards. We requested and obtained documents from the components\nrelated to 38 major Department IT projects listed in our inventory, and\nassessed compliance with the document standards for the major systems in\nthe inventory.\n\n      For this audit report, we focused specifically on studies and research\nthat justified the selection of investments in the revised inventory of major\nIT systems and projects, plans that were developed after the investments\nwere authorized, and evaluations that were performed after systems were\nimplemented. We did not request every document specified by the DOJ\nSDLC or ITIM Guide, such as early plans that were developed before projects\nreceived authorization (system boundary documents) and specification and\ndesign documents. 16\n\n      To evaluate problems the Department has experienced in planning, we\nreviewed relevant audit and inspection reports, extending the scope of our\naudit work to several systems and projects that were not included in the\ninventory of major systems. We analyzed these evaluations for information\nabout problems the Department has experienced in formulating IT plans.\n\n\n\n\n       16\n           Although a case can be made that all these documents are planning documents,\nit was not feasible in the course of one audit to assess entire documentation libraries for\nmultiple projects.\n\n\n\n\n                                            15\n\x0c                  FINDINGS AND RECOMMENDATIONS\n\n\nFinding 1: Studies, Plans, and Evaluations\n\n       With respect to the 38 major IT systems examined in this\n       phase of the review, components submitted 494 documents\n       we categorized as \xe2\x80\x9cstudies, plans, and evaluations.\xe2\x80\x9d Some\n       systems had up to 30 associated planning documents, while\n       others had as few as 2. While many of the documents\n       specified in various federal, Department, and component-level\n       IT development standards were produced, significant gaps\n       existed between the suggested studies, plans, and evaluations\n       and what components prepared for individual projects. For\n       example, components developed few post-implementation\n       evaluations of how the systems performed and what lessons\n       were learned during development of the system. Moreover,\n       the OIG found that the standards for preparing studies, plans,\n       and evaluations as part of the IT development process come\n       from a variety of different sources that overlap, duplicate\n       effort, and may prove cumbersome.\n\nInventory of Studies, Plans, and Evaluations\n\n      To identify specific IT research, studies, plans, and evaluations, we\ninterviewed Department officials and reviewed the guidelines described in\nthe Introduction to this report. We used the guidelines listed in Figure 5 as\nthe basis for requesting specific studies, plans, and evaluations of IT needs,\nopportunities, projects, and systems. Each of the guidelines in Figure 5 is\ndescribed in the Introduction to this report.\n\n\n\n\n                                      16\n\x0c                           Guidelines for IT Studies, Plans, and Evaluations\nFigure 5\n\n                               Guideline and Date                                   Applies to\n\n\nDOJ Systems Development Life Cycle Guidance Document, revised 2003             Department of Justice\n\n\nGuide to the DOJ Information Technology Investment Management (ITIM)\n                                                                               Department of Justice\nProcess, August 2001\n\nDOJ Order 2880.1b, Information Resources Management Program, September\n                                                                               Department of Justice\n2005\n\n\nOMB Circular A-11, Preparation and Submission of Budget Estimates, June 2005   All Federal agencies\n\n\n                                                                                Drug Enforcement\nDEA Systems Development Life Cycle Guidance Document, March 2000\n                                                                                 Administration\n\n                                                                                Federal Bureau of\nFBI Life Cycle Management Directive, revised August 2005\n                                                                                  Investigation\nSources: Department of Justice components\n\n      We used the DOJ SDLC as the primary criterion to identify the studies,\nplans, and evaluations that should be prepared when developing and\nimplementing IT projects. The standards use various names for documents\nand organize the information differently. For this report, we combined the\nvarious specific standards into a generic set of studies, plans, and\nevaluations that could be applied to all of the IT systems and projects in our\ninventory. Because we found little research documented outside of the OMB\nexhibit 300, we included \xe2\x80\x9cresearch documents\xe2\x80\x9d under the category of\n\xe2\x80\x9cstudies.\xe2\x80\x9d\n\n       We requested specific documents directly from each of the\ncomponents because the CIO\xe2\x80\x99s office did not maintain major documents\nproduced for component-specific systems. OCIO officials told us that\nDepartment oversight is designed to focus on the Capital Planning and\nInvestment Control process for selecting and prioritizing IT investments. It\nis not designed to enforce policies and procedures on IT project\ndocumentation. 17 Department-level oversight of individual IT projects is\nperformed through presentations to the Departmental Investment Review\n\n           17\n                The CIO does have specific responsibilities to enforce security standards.\n\n\n                                                    17\n\x0cBoard, the CIO\xe2\x80\x99s Dashboard report, and through the OMB exhibit 300s, all of\nwhich are described in the second report in this series. This oversight\nincludes tracking of actual performance against scheduled milestones and\ncosts, but does not involve JMD officials in the details of IT documentation\nfor individual projects.\n\n       In addition to requesting specific documents, we also asked the\ncomponents to provide any additional documents they had prepared that\nwould qualify as IT studies, research, plans, or evaluations. We requested a\nslightly different list of documents from the FBI than from the other\ncomponents because some of the FBI\xe2\x80\x99s LCMD standards varied somewhat\nfrom the standards being used by the other components. The variations for\ndifferent components are described later in the report in the discussion of\neach document type. We found that the standards for preparing studies,\nplans, and evaluations as part of the IT development process come from a\nvariety of different sources that overlap, duplicate effort, and may prove\ncumbersome.\n\n       We combined the various specific requirements from each guideline\ninto the following generic set of criteria for studies, plans, and evaluations\nthat we could apply to all of the IT systems and projects in our inventory.\nFigure 6 lists the generic set of documents we requested. All of the\ndocuments listed below are applicable to each IT system or project with the\nexception of an IT strategic plan, which is required for the Department but\noptional for components.\n\n\n\n\n                                      18\n\x0c                       Studies, Plans, and Evaluations Requested\n             Figure 6\n              \xe2\x80\xa2 Business case studies\n              \xe2\x80\xa2 Market research\n              \xe2\x80\xa2 Alternatives analyses\n              \xe2\x80\xa2 Feasibility studies\n              \xe2\x80\xa2 Cost benefit analyses\n              \xe2\x80\xa2 Privacy impact assessments\n              \xe2\x80\xa2 IT strategic plans\n              \xe2\x80\xa2 Risk management plans\n              \xe2\x80\xa2 Acquisition plans\n              \xe2\x80\xa2 Project management plans\n              \xe2\x80\xa2 System security plans\n              \xe2\x80\xa2 Systems engineering management plans\n              \xe2\x80\xa2 Configuration management plans\n              \xe2\x80\xa2 Quality assurance plans\n              \xe2\x80\xa2 Validation and verification plans\n              \xe2\x80\xa2 Test plans\n              \xe2\x80\xa2 Conversion plans\n              \xe2\x80\xa2 Implementation plans\n              \xe2\x80\xa2 Training plans\n              \xe2\x80\xa2 Contingency & continuity of operations plans\n              \xe2\x80\xa2 Disposition plans\n              \xe2\x80\xa2 Test reports\n              \xe2\x80\xa2 Ongoing reviews of project status and earned value management\n              \xe2\x80\xa2 Post-implementation review reports\n              \xe2\x80\xa2 Any other IT-related research, plans, studies, and evaluations the\n                  component performed or sponsored\n             Source: OIG compilation of standards\n\n       Department components submitted more than 800 documents and\nother evidence that we accepted as responsive in some way to our requests.\nOf these responses, 494 were complete documents representing studies,\nplans, and evaluations. The responses also included other products or\nartifacts of the system acquisition and development process. Artifacts\nincluded items such as briefing slides, spreadsheets showing schedules and\nwork breakdown structures, portions of the OMB exhibit 300, and various\nforms of progress reports. We included other artifacts in this report to the\ndegree that they contributed to compliance with the various standards for\ndocumentation.\n\n     A detailed listing of the studies, plans, and evaluations we obtained for\neach project is located in Appendix VI of this report, along with a short\nsummary about the project. Appendix V lists all documents and other\n\n                                             19\n\x0cartifacts we determined contributed to compliance with the various\nstandards. The numbers include some duplicate counting of single\ndocuments because components sometimes submitted one document to\nfulfill more than one category.\n\n       The components cited several reasons for not providing all of the\ndocuments we requested. Specifically, components said: (1) the\nrequirement was not applicable to the investment; (2) a waiver to the\nrequirement had been granted; (3) planning for the system pre-dated\nFY 2000 and the documentation was not available; (4) the system was\npurchased commercially off-the-shelf eliminating the need for certain\nprocesses; and (5) the investment had not reached the applicable point in\nthe life cycle.\n\n      Figure 7 shows the number of documents we received that we\ndetermined to be responsive to our document request for each system or\nproject.\n\n\n\n\n                                    20\n\x0c                      DOJ IT Studies, Plans & Evaluations Received\n         Figure 7\n                                                           Studies, Plans, &\n           Components           Systems & Projects\n                                                             Evaluations\n               ATF                     NIBIN                 17\n               BOP                      ITS II               11\n               DEA                    Concorde               15\n               DEA                     E Com                 18\n               DEA                        EIS                20\n               DEA                     Firebird              14\n               DEA                      M204                  8\n               DEA                     Merlin                14\n              EOIR                     eWorld                 9\n                FBI                    BRIDG                  4\n                FBI                  CARTSAN                 11\n                FBI                    CODIS                  7\n                FBI                      DCS                 15\n                FBI                      DCU                  6\n                FBI                    EDMS                  16\n                FBI                    FTTTF                  6\n                FBI                     IAFIS                24\n                FBI                      IATI                18\n                FBI                      IDW                  5\n                FBI                      LEO                  9\n                FBI                     NCIC                 19\n                FBI                    N-DEx                  6\n                FBI                      NGI                 11\n                FBI                     NICS                 16\n                FBI                    R-DEx                  5\n                FBI                    SCION                  4\n                FBI                   Sentinel               11\n                FBI                     SMIS                 21\n                FBI                      TRP                  2\n                FBI                      TSC                  8\n               JMD                       CITP                27\n               JMD                       IWN                 23\n               JMD                      JCON                 27\n               JMD                     LCMS                   6\n               JMD                        PKI                15\n               JMD                     UFMS                  18\n              ODAG                       OFC                 16\n               OJP                      JGMS                 12\n                                            TOTAL           494\n        Source: Documents submitted by DOJ components in response to the\n        OIG\xe2\x80\x99s request\n\n      Two comprehensive IT plans for the Department are required by OMB\nstandards: the Department\xe2\x80\x99s IT Capital Plan and IT Strategic Plan. The IT\nCapital Plan, Agency IT Investment Portfolio (exhibit 53), was described in\nthe second report in this series of three audits, as it represents the\n\n                                          21\n\x0cDepartment\xe2\x80\x99s inventory of major IT investments. The Department\xe2\x80\x99s IT\nStrategic Plan and the component plans are described below. All other\ndocuments under the section \xe2\x80\x9cStudies, Plans, and Evaluations\xe2\x80\x9d are standards\nassociated with each system or initiative.\n\nThe Department of Justice IT Strategic Plan\n\n      OMB Circular A-130, Management of Federal Information Resources,\nrequires that federal agencies maintain strategic plans for information\nresources management. According to OMB, the plans should: (1) support\nthe agency\xe2\x80\x99s Strategic Plan and (2) provide a description of how information\nresources management activities help accomplish agency missions and\nensure that IT decisions are integrated with organization planning, budget,\nprocurement, financial management, human resources management, and\nprogram decisions. DOJ Order 2880.1B, Information Resources\nManagement Program, September 27, 2005, assigns responsibility to the\nCIO for developing, maintaining, and implementing the Department\xe2\x80\x99s IT\nStrategic Plan, and requires that it be aligned directly with the Department\xe2\x80\x99s\nStrategic Plan.\n\n      The Department of Justice Information Technology Strategic Plan for\n2006 \xe2\x80\x93 2011, June 2006, is designed to align IT strategic goals with the four\nstrategic goals in the Department\xe2\x80\x99s Strategic Plan:\n\n\xe2\x80\xa2   prevent terrorism and promote America\xe2\x80\x99s security;\n\n\xe2\x80\xa2   enforce federal laws and represent the rights and interests of the\n    American people;\n\n\xe2\x80\xa2   assist state, local, and tribal efforts to prevent or reduce crime and\n    violence; and\n\n\xe2\x80\xa2   ensure the fair and efficient operation of the federal justice system.\n\n       To help the Department accomplish its goals, the IT Strategic Plan sets\nout five specific IT goals:\n\n    \xe2\x80\xa2   enable the mission through information sharing,\n\n    \xe2\x80\xa2   enable the mission through federated solutions,\n\n    \xe2\x80\xa2   support effective and efficient use of IT resources,\n\n\n                                        22\n\x0c   \xe2\x80\xa2   provide common resilient and secure infrastructure, and\n\n   \xe2\x80\xa2   leverage common administrative solutions.\n\n      The IT Strategic Plan provides objectives for each goal and strategies\nfor each objective. The IT goals, objectives, and strategies are intended to\nguide the technology capabilities toward specific outcomes. The Plan also\nintroduces performance strategies as a means of measuring the\nDepartment\xe2\x80\x99s performance of objectives. The performance objectives\ndescribe, at a high level, the expected performance, while specific metrics\nare developed for each investment. Further, there is at least one\nperformance measurement defined for each objective.\n\n      We reviewed the Department\xe2\x80\x99s IT Strategic Plan for compliance with\nthe requirements stated in OMB Circular A-130. We found that the IT\nStrategic Plan supported the Department\xe2\x80\x99s Strategic Plan and that it\ncontained the required description of how information resources\nmanagement activities help accomplish agency missions and ensure that IT\ndecisions are integrated with organization planning, budget, procurement,\nfinancial management, human resources management, and program\ndecisions.\n\nComponent IT Strategic Plans\n\n      DOJ Order 2880.1B, Information Resources Management Program,\nallows, but does not require, components to develop their own IT strategic\nplans. It also requires component-specific IT strategic plans to reflect and\nbe aligned with the strategies in the Department\xe2\x80\x99s IT Strategic Plan.\n\n      Five of the eight components included in this audit have developed\ncomponent-specific IT Strategic Plans (ATF, BOP, DEA, EOIR, and FBI).\nThose IT Strategic Plans are listed in Appendix III. The Department\xe2\x80\x99s IT\nStrategic Plan was prepared by JMD.\n\n      We reviewed the IT Strategic Plans for the five components to evaluate\ncompliance with the requirement that they be aligned with the Department\xe2\x80\x99s\nIT Strategic Plan. We found that the component IT Strategic Plans are\ngenerally consistent with the Department\xe2\x80\x99s Plan.\n\n      While a strategic plan is required at the Department level and\ncomponents have the flexibility to develop their own strategic plans, most\nstandards that exist related to IT studies, plans, and evaluations are\napplicable to individual IT systems and projects rather than to the\n\n                                      23\n\x0cDepartment or its components. The following sections on studies, plans, and\nevaluations focus on the standards that apply to individual systems and\nprojects.\n\nIT System and Project Documents\n\n      This section presents a summary of what we obtained from\ncomponents by type of document, along with a discussion of the specific\nstandards for studies, plans, and evaluations. 18 Our approach for discussing\ndocuments in this section is generally chronological, following documents as\nthey are produced during the development of an IT project.\n\n       We applied each document type discussed below as a test of\ncompliance for studies, plans, or evaluations. We also assigned unique\nnumbers to individual documents and artifacts. We prepared a matrix\nidentifying the individual documents and artifacts we determined were\nresponsive to our requests for studies, plans, and evaluations. Appendix IV\ncontains the matrix of document types and systems, with identifying\nnumbers representing individual documents that met each standard.\nAppendix V lists individual documents in numerical order to match with\nitems in the matrix.\n\n        Determining compliance with the standards for studies, plans, and\nevaluations was complicated by variations in criteria and the long duration of\nmany projects coupled with the fact that criteria changed over time.\nDetermining compliance was further complicated because the components\nallow waivers or tailoring of the standards for each project, depending on the\nnature of the project. We agree that flexibility and tailoring are reasonable.\nAs we could not perform 38 individual audits for each of the systems and\ninitiatives in the inventory, we are providing the following discussion of\ncompliance in terms of whether the components provided documents in a\nconsistent manner with the generic standards we used. It was not our\nintent to suggest that any individual project was out of compliance at any\ngiven time, since almost no document is absolutely required. Instead, our\nintent was to examine how consistently the components produced certain\ndocuments specified by various criteria.\n\n\n\n\n       18\n          This is not intended to be a comprehensive discussion of all phases or activities\nassociated with IT projects and systems, but focuses on the tasks and documents\nassociated with research, studies, plans, and evaluations.\n\n\n                                             24\n\x0c       Business case studies, system security plans, and PIAs are all required\nby criteria other than the Department\xe2\x80\x99s SDLC or the FBI\xe2\x80\x99s LCMD.\nComponents must obtain funding for IT projects through the OMB exhibits\n300, which summarize the business case, must provide system security\nplans in order to obtain authorization from Departmental IT security\nauthorities to begin operating a system, and must abide by privacy laws by\ncompleting PIAs.\n\n      We found the highest levels of compliance in the areas of business\ncase documents, which become part of the Department\xe2\x80\x99s annual budget\nprocess and are required to obtain funding for each system or project, and\nsystem security plans, which are required for projects to obtain the\nDepartment\xe2\x80\x99s authorization to operate. The components provided at least\none business case document for 36 of the 38 systems in the inventory. The\ntwo exceptions, the FBI\xe2\x80\x99s Investigative Data Warehouse (IDW) and Secure\nCompartmented Information Operational Network (SCION), are included in\nan \xe2\x80\x9cumbrella\xe2\x80\x9d business case that represents the Department\xe2\x80\x99s consolidated\nenterprise infrastructure (CEI). The business case document represents the\nsingle document type for which we found 100 percent compliance.\n\n       System security plans also had a high level of compliance and we\nobtained security plans for 32 of the 38 projects. The six other projects\nwere either too early in the life cycle for preparation of this document, or a\ndraft security plan was undergoing review. Components also demonstrated\na high level of compliance with PIAs, and we found acceptable explanations\nfor the projects that did not submit a PIA. Components also provided\nproject management plans for 29 of the 38 projects, and explained all but\none of those exceptions.\n\n       However, we found compliance in the areas of systems engineering\nmanagement, configuration management, quality assurance, validation and\nverification, and training plans was significantly lower.\n\n      The discussion in this section includes the numbers of whole\ndocuments we obtained that represented studies, plans, and evaluations. In\nthe compliance matrix, Appendix IV, we included other artifacts that were\nsubmitted in lieu of, or in addition to entire documents.\n\n\n\n\n                                      25\n\x0cStudies\n\n      Studies required by the various standards for IT activities and\ndocuments associated with each IT system or project are generally\nperformed early in the life cycle of an IT project to identify and evaluate\npossible alternative solutions to meet a business need. 19 The studies include\nmarket research, alternative analyses, feasibility studies, cost-benefit\nanalyses (or benefit-cost analyses), risk analyses, and PIAs. 20\n\n      While the Department and DEA SDLCs specify separate documents for\nthese studies, the FBI LCMD groups all except the PIAs into a business case\ndocument that is a virtual image of the business case section of the OMB\nexhibit 300 required to be submitted as part of the Department\xe2\x80\x99s budget.\nFor reporting purposes, we organized the studies into groups called\nmarket/other research, business case studies, and PIAs.\n\n        As we conducted our audit, we became aware of a study that did not\nfit into the categories below that is related to a case management/common\nsolution architecture for the Department. The 2004 study, sponsored by the\nCIO and performed by a contractor, is being used as the basis for JMD\xe2\x80\x99s\nLCMS project. 21\n\nMarket and Other Research\n\n       The only type of research mentioned in various criteria for IT\ndocumentation is market research. The DOJ ITIM Guide specifies market\nresearch through reference to the OMB exhibit 300, Capital Asset Plan and\nBusiness Case. Item 1.A. of section I.E., Alternatives Analysis, of the exhibit\n300 instructs agencies to discuss the market research that was conducted to\nidentify innovative solutions for the investment. OMB\xe2\x80\x99s Capital Programming\nGuide indicates that federal agencies should conduct market surveillance and\nresearch to ensure that as many alternative solutions as possible are\n\n       19\n           We grouped various documents into the category of \xe2\x80\x9cstudies\xe2\x80\x9d based on the idea\nthat a study would be a product of attempts to acquire knowledge or understanding of a\nsubject.\n       20\n           Privacy impact assessments (PIA) are performed later in the life cycle, after an\nalternative solution has been selected. The Department\xe2\x80\x99s SDLC places the PIA as a\ndeliverable of the requirements analysis phase.\n       21\n          The MITRE Corporation, Common Solution Architecture for Case Management\n(the Current State), Technical Report, April 2004.\n\n\n                                             26\n\x0cidentified for consideration once an agency need has been identified. It lists\nannouncements, requests for information, or requests for proposals to solicit\ninformation on alternative concepts from a broad base of qualified firms. It\nalso states that emphasis should be placed on solutions that are currently\navailable and do not require significant development in order to minimize\nrisk.\n\n       While market research is the only type of research specifically\nidentified in the exhibit 300, we asked components to identify and provide\nany other research that had been performed in connection with their planned\nIT projects. Components told us there was virtually no additional IT-related\nresearch being conducted separate from the market research that is\nperformed as part of building a business case for a system.\n\n      We requested market research from all components except the FBI\nbecause the FBI\xe2\x80\x99s LCMD does not specify market research independent of\nthe business case.\n\n       Components provided 16 documents reflecting market research related\nto 11 of the 17 total non-FBI projects. Of the market research documents\nwe received, the assessments included market research reports for DEA\xe2\x80\x99s\nFirebird and JMD\xe2\x80\x99s IWN and LCMS projects, requests for comment or\ninformation for the BOP\xe2\x80\x99s ITS-II and JMD\xe2\x80\x99s JCON, a summary report of\nvendor responses for JMD\xe2\x80\x99s UFMS, two comparative analyses of other federal\nsystems for the ODAG\xe2\x80\x99s OFC, a report on public key infrastructure\npossibilities for the DEA\xe2\x80\x99s eCommerce project, and a report on digital audio\nrecording alternatives for the EOIR\xe2\x80\x99s eWorld project. We obtained seven\nother artifacts related to market research for three projects which had also\nsubmitted documents we accepted as studies.\n\n      The 16 studies included in this discussion were separate from\nresponses to the market research section of the Capital Asset Plans and\nBusiness Cases (OMB exhibits 300). Information included in the Capital\nAsset Plan and Business Case generally indicates that some market research\nwas performed to help identify potential solutions. Six non-FBI systems\nwere not represented by market research studies apart from the OMB\nexhibits 300. These six were NIBIN, Concorde, E-Commerce, M204, Merlin,\nand JGMS. Like the FBI projects, these six projects submitted OMB exhibits\n300.\n\n\n\n\n                                     27\n\x0cBusiness Case Studies\n\n       When managers decide that a system concept is worth developing\nfurther, work is performed to identify and evaluate alternative solutions.\nThis item reflects studies performed to support the selection of a project or\nsystem and includes the following type of analyses that are frequently\ncombined in one or two documents:\n\n    \xe2\x80\xa2   alternatives analyses,\n\n    \xe2\x80\xa2   feasibility studies,\n\n    \xe2\x80\xa2   cost benefit analyses (also called benefit cost analyses), and\n\n    \xe2\x80\xa2   risk analyses.\n\n     The Department SDLC and FBI LCMD standards vary considerably in\nterms of where certain types of information for these analyses should be\nfound, but the basic information required is similar between standards. The\nDepartment and DEA SDLCs specify preparing the following:\n\n\xe2\x80\xa2   A feasibility study that should provide an overview of the business\n    requirement and determination if solutions exist that are technically,\n    economically, and operationally feasible. The feasibility study should\n    describe and evaluate alternative solutions. The feasibility study may be\n    documented as a separate document or as part of the cost benefit\n    analysis.\n\n\xe2\x80\xa2   A cost-benefit analysis that uses the results of the feasibility study as the\n    basis for evaluating the costs and benefits of the candidate solutions.\n    The cost benefit analysis should additionally include a statement of\n    assumptions made describing the present and future environment on\n    which the analysis is based, constraints (external factors that may affect\n    the effort), the presentation of nonrecurring and recurring costs, and an\n    analysis of expected tangible and intangible benefits. 22 The alternative\n    solutions evaluated should then be compared using return on investment\n    concepts.\n\n\n\n        22\n           Tangible benefits are expressed in dollars or units, such as dollars saved from\nstreamlining transactions and saved time. Intangible benefits are normally related to\nmission improvements that may be difficult to quantify.\n\n\n                                             28\n\x0c      The DOJ ITIM Guide specifies a business case analysis that reflects the\nrequirements for the Capital Asset Plan and Business Case (OMB exhibits\n300) to summarize the results of:\n\n\xe2\x80\xa2   developing and evaluating alternatives;\n\n\xe2\x80\xa2   assessing the relative risks and mitigation strategies;\n\n\xe2\x80\xa2   performing a return on investment (ROI) analysis, including a benefits\n    cost analysis;\n\n\xe2\x80\xa2   developing performance measures and indicators;\n\n\xe2\x80\xa2   addressing security and privacy issues; and\n\n\xe2\x80\xa2   selecting the best alternative based on ROI, risk mitigation, benefits cost\n    analysis, and other performance measures.\n\n      The FBI LCMD specifies an initial and a final business case that is\nvirtually identical to the requirements for the OMB exhibit 300.\n\n      This audit generally reports on documents the components provided in\nresponse to our requests for specific documents. One exception to this is for\nbusiness case studies. Some components submitted the OMB exhibit 300,\nCapital Asset Plan and Business Case, in response to this request, but many\ndid not. Therefore, we obtained a number of additional exhibits 300 from\nother sources and have credited them to this test regardless of how the\ncomponent responded to the document request.\n\n      Overall, we obtained 46 documents we categorized as a business case\nstudy, including at least one for 36 of the 38 systems or projects. The 46\nbusiness case studies include multiple documents for 9 projects. Several\ncomponents submitted more than one OMB exhibit 300, representing\nmultiple budget years, but we counted multiple OMB exhibits 300 for each\nproject as one document. Additional studies we obtained included\nAlternatives Analyses and Cost Benefit Analyses.\n\n      We did not receive a business case study for the FBI\xe2\x80\x99s Investigative\nData Warehouse (IDW) or Secure Compartmented Information Operational\nNetwork (SCION) projects because they are included in an OMB exhibit 300\nfor the \xe2\x80\x9ccomprehensive enterprise infrastructure\xe2\x80\x9d for the Department.\n\n\n\n                                       29\n\x0c      Additionally, we obtained more than 70 other artifacts related to\nbusiness cases, including feasibility statements, mission needs statements,\nconcept of operations documents, and cost benefit analysis spreadsheets.\n\n      Overall, we found the highest level of compliance with standards in the\narea of business case studies. The budget requirement for the OMB exhibit\n300 undoubtedly contributes to the high level of compliance, as the case\nstudy is needed to obtain funding as part of the budget process.\n\nPrivacy Impact Assessments\n\n      PIAs are required by DOJ Order 2880.1b to ensure the Department\nreviews the potential impacts on individuals\xe2\x80\x99 privacy concerns that may\nresult from the development and use of computer-based information\nsystems that collect or store personal data about individuals. All\ncomponents are required to conduct a PIA for any new information system\nthat contains sensitive information about individuals, uses new techniques to\nmanipulate existing data about individuals in a way that such data is readily\nretrievable, or collects and maintains personal information about individuals\nthat has not previously been collected and maintained by the component.\nJMD is responsible for enforcing compliance with this policy through the\nDepartment\xe2\x80\x99s ITIM process.\n\n      The DOJ ITIM Guide instructs components to address privacy issues in\ndeveloping the business case, in preparing the Capital Asset Plan and\nBusiness Case, and when preparing a disposal plan. The DOJ and DEA\nSDLCs require the PIA to be performed as part of the requirements analysis\nphase of a system\xe2\x80\x99s life cycle.\n\n      The DOJ SDLC defines a PIA as a written evaluation of the impact that\nthe implementation of the proposed system would have on privacy.\nGuidance for preparing a PIA is provided on the Department\xe2\x80\x99s intranet, and\nconsists of a list of questions to be answered about data in the system and\nthe impact of the system on privacy. The assessment begins with a privacy\nthreshold analysis to determine whether there is a need for a full PIA for\neach system.\n\n      Compliance with the PIA requirements appears consistent. We\nobtained 33 PIAs and privacy threshold analyses for 23 of the 38 systems\nand projects in the revised inventory, with some components submitting\nseparate PIAs for different functions or modules of a system. PIAs were not\nrequired for every project. The threshold analyses for NIBIN and PKI\ndetermined there was no need for a full PIA for those systems, and we\n\n                                     30\n\x0cobtained an initial or full PIA for the other 21 of the 23 systems and\nprojects.\n\n      We did not obtain PIAs or threshold analyses for 15 systems or\nprojects. DOJ Order 3011.1A, Compliance with the Privacy Requirements of\nthe Privacy Act, the E-Government Act, and the FISMA, March 6, 2007,\nstates that PIAs identifying how information in identifiable form is collected,\nstored, protected, shared, and managed in an IT system or online\ninformation collection are required when developing or procuring new\ntechnology or making substantial modifications to existing technology. This\nwould exempt older systems that have not undergone significant\nmodification in the way described. Although the scope of this audit did not\ninclude evaluating information about modifications to all of the older systems\nin the inventory, this order would appear to exempt 7 of the remaining 15\nsystems: the DEA\xe2\x80\x99s M204 corporate systems, the FBI\xe2\x80\x99s DCU, IAFIS, LEO,\nNCIC, NICS, and R-DEx.\n\n      The DEA responded that a PIA was too broad for the infrastructure\nproject Firebird and not applicable to Merlin, which is also an infrastructure\nproject. The FBI told us that the PIAs for the FTTTF and TSC existed, but did\nnot provide them to us. We did not obtain PIAs or explanations for the FBI\xe2\x80\x99s\nIDW or TRP. The TRP is, however, at the beginning of its life cycle and is not\nyet at the phase of the FBI\xe2\x80\x99s LCMD that requires a PIA. JMD told us that the\nPIA for IWN was not completed yet, and OJP responded to this item for the\nJGMS with its certification and accreditation plan of actions and milestones.\n\nPlans\n\n      The plans specified by the DOJ and DEA SDLCs for each IT system or\nproject include many types of plans that are developed after an alternative\nsolution has been selected. These plans include:\n\n   \xe2\x80\xa2   risk management,\n   \xe2\x80\xa2   acquisition,\n   \xe2\x80\xa2   project management,\n   \xe2\x80\xa2   system security,\n   \xe2\x80\xa2   systems engineering management,\n   \xe2\x80\xa2   configuration management,\n   \xe2\x80\xa2   quality assurance,\n   \xe2\x80\xa2   validation and verification,\n   \xe2\x80\xa2   test,\n   \xe2\x80\xa2   conversion,\n   \xe2\x80\xa2   implementation,\n\n                                      31\n\x0c   \xe2\x80\xa2   training,\n   \xe2\x80\xa2   contingency, and\n   \xe2\x80\xa2   disposition.\n\nThe FBI LCMD also requires many of the same plans, but uses different\nnames for some. Each of the differences is described below.\n\nRisk Management Plans\n\n      The SDLCs specify risk management plans to be prepared during the\nsystem concept development phase, along with the feasibility and cost\nbenefit studies. The risk management plan documents the results of\nassessing and planning to manage programmatic and technical risks of the\nsystem or project. The plan should identify and assess risks, and detail the\nstrategies that will be employed to mitigate the risks.\n\n      The DOJ ITIM Guide describes assessing risk as part of analyzing\nalternatives, and reporting such risk assessment in the Capital Asset Plan\nand Business Case (OMB exhibit 300). When completing the exhibit 300,\nagencies are instructed to assess various risks, including those associated\nwith schedule, initial costs, life-cycle costs, technical obsolescence, risk of\nmonopoly, capability of the agency to manage the investment, overall risk of\ninvestment failure, security, privacy, and project resources.\n\n      Components provided 32 risk management plans for 25 of the 38\nsystems and projects. A number of components submitted the OMB exhibit\n300 or other artifacts as their risk management plans. While the exhibit 300\ncontains information on risk management, it also requests the date of the\nrisk management plan, suggesting that an independent plan should exist.\nWe included artifacts, such as information from the OMB exhibit 300, in the\ncompliance matrix, but did not count these as a risk management plan.\n\n      In addition to the OMB exhibits 300, other artifacts included risk\nregisters, which are spreadsheets listing risks and mitigation strategies, risk\nanalyses, and risk management sections of other documents, such as project\nplans. The number of projects represented by either risk management plans\nor other artifacts was 33 of the 38 projects. Five projects did not provide\nany specific response to this request, but Firebird, IAFIS, NICS, and TRP all\nsubmitted OMB exhibits 300 that included a risk management section.\nSCION, the final system, is included in the Department\xe2\x80\x99s consolidated\nenterprise infrastructure OMB exhibit 300.\n\n\n\n                                      32\n\x0cAcquisition Plans\n\n       The SDLCs specify preparation of an acquisition plan during the\nplanning phase of a system life-cycle. This plan should document how all\ngovernment resources and contractor support services will be acquired\nduring the life of the project. Acquisition plans are specified in the DOJ ITIM\nGuide and also are included in the final business case under current FBI\nstandards. We did not request acquisition plans from the FBI, as FBI\nofficials told us the acquisition plans are in the business case. As is\ndiscussed in the section on business case studies, the FBI was compliant\nwith business case studies. However, we did obtain two documents related\nto acquisition planning for the FBI\xe2\x80\x99s Sentinel project.\n\n      Other components provided acquisition plans or some relevant\nalternate documentation for 13 of the 17 non-FBI systems and projects in\nthe revised inventory. Alternate documentation included justification for\nother than full and open competition and the acquisition section of Capital\nAsset Plans and Business Cases, which summarizes the acquisition strategy.\nWe obtained OMB exhibits 300 for all of the other non-FBI projects that did\nnot provide separate acquisition plans. While the other components did not\nsuggest that the OMB exhibit 300 fulfilled the requirement for an acquisition\nplan, we accepted them as such in order to ensure similar treatment to the\nFBI projects. However, we do not identify this as an area of high compliance\nbecause the OMB exhibit 300 clearly expects that components will develop a\nseparate acquisition plan.\n\nProject Management Plans\n\n       The SDLCs indicate that project management plans should be prepared\nfor all projects. The plans are intended to document project scope, tasks,\nschedule, allocated resources, and interrelationships with other projects.\nThe plans also provide details on the involved functional units, required job\ntasks, cost and schedule performance measurement, and milestone and\nreview scheduling. Revisions to the project management plan should occur\nat the end of each phase and as information becomes available. The project\nmanagement plan should reflect the entire scope of what is to be\naccomplished. Project management plans are also specified in the DOJ ITIM\nGuide.\n\n      Components provided 44 project management plans for 29 systems\nand projects, and 42 other artifacts representing 28 projects, together\nrepresenting a total of 31 of the 38 projects. We included artifacts in the\n\n\n                                      33\n\x0ccompliance matrix in Appendix IV. Common artifacts submitted in relation\nto this plan were schedules of tasks and work breakdown structures.\n\n      We did not obtain project plans or relevant artifacts for seven projects,\nfour of which predated the FBI\xe2\x80\x99s implementation of its LCMD (IAFIS, LEO,\nNICS, and R-DEx). We did not receive an explanation for why no project\nmanagement plans for the FBI\xe2\x80\x99s SCION and TRP were provided. In addition,\nthe ATF waived compliance to the SDLC for its NIBIN system \xe2\x80\x9cdue to the\nnature of the contract and special contractual constraints whereby the\nContractor provides for 100% of the necessary customer support and\nmaintenance support required to install, configure, implement and sustain all\nIBIS systems (hardware and software).\xe2\x80\x9d\n\nSystem Security Plans\n\n       The various business and law enforcement functions within the\nDepartment depend on the confidentiality, integrity, and availability of\nsystems and data. The DOJ SDLC specifies that system security plans\nshould contain information about the system environment, information\nsharing, sensitivity of information processed, management controls, security\ncontrols, operational controls, contingency planning, security training, audit\ntrails, and access controls.\n\n       The Department requires that all IT systems pass a security\nCertification and Accreditation process that is intended to ensure the\nadequacy of computer system security. Security plans and successful\nsecurity test results are needed to obtain the Department\xe2\x80\x99s authorization to\noperate. This likely ensures that system security plans and related security\ntests are among the most reliably prepared documents in the IT\ndevelopment process.\n\n       Components provided 40 system security plans and 33 other relevant\nartifacts for 32 systems. Included as artifacts in the compliance matrix in\nAppendix IV are items such as security sections of project management\nplans, authorizations to operate, and other artifacts of the certification and\naccreditation process. Of the six projects not represented here, the FBI and\nJMD told us the plans for NGI, Sentinel, and LCMS did not yet exist, which\nwas reasonable given the status of the projects at the time of our field work.\nWe were also informed that the draft security plan for the FTTTF was being\nreviewed at the time of our field work. We did not obtain a plan or an\nexplanation from the FBI regarding the BRIDG or TRP projects. Overall, we\nfound compliance with this system security standard extremely high.\n\n\n                                      34\n\x0cSystems Engineering Management Plans\n\n       According to the Department\xe2\x80\x99s SDLC, the systems engineering\nmanagement plan (SEMP) should be developed during the planning phase of\nIT project development. The SEMP is intended to document the strategy for\nexecuting the technical management aspects of the project, and should\ninclude information about responsibilities for the technical effort, technical\nprocesses, and procedures to be applied. It should address control\nstrategies for data management, technical performance measurement,\ninterface management, and formal and informal technical reviews. The FBI\xe2\x80\x99s\nLCMD also specifies SEMPs.\n\n      In response to our request, components provided only 11 SEMPs and 6\nrelevant artifacts for 13 projects. Components did not submit items we\naccepted as SEMPs for 25 of the 38 IT projects. In addition to the NIBIN\ncontract waiver, components told us the SEMPs had not yet been developed\nor were not applicable for their projects. Others submitted project\nmanagement plans or concept of operations documents to meet this\nrequirement, but we did not accept the brief descriptions included in these\ndocuments for this test.\n\nConfiguration Management Plans\n\n      According to the DOJ SDLC, configuration management plans\ndocument uniform practice for managing system software, hardware, and\ndocumentation changes throughout a development project. The FBI LCMD\nalso specifies configuration management plans.\n\n      Components provided 28 configuration management plans and 5\nrelated artifacts for 26 projects. The 12 projects not submitting\nconfiguration management plans were NIBIN, ITS-II, BRIDG, CODIS, DCU,\nFTTTF, IDW, N-DEx, R-DEx, TRP, TSC, and OFC. In addition to the NIBIN\ncontract waiver, component explanations for not submitting this item\nincluded that the documents had not yet been developed or the standard\nwas not applicable. 23\n\n\n\n\n       23\n           It was beyond the scope of this audit to determine what was appropriate for each\nproject for every type of study, plan, or evaluation that may be prepared for individual\nprojects.\n\n\n                                            35\n\x0cQuality Assurance Plans\n\n      The DOJ SDLC indicates the purpose of quality assurance plans is to\nensure that delivered products satisfy contractual agreements, meet or\nexceed quality standards, and comply with approved processes. The plans\nshould include an overview of the processes to ensure that processes and\nproducts associated with hardware, software, and documentation are\nmonitored, sampled, and audited to ensure compliance with methodology,\npolicy, and standards.\n\n      Components provided 17 quality assurance plans for 16 projects. 24\nWe included 12 other relevant artifacts for 5 projects in the compliance\nmatrix, representing a total of 20 projects. No quality assurance plans or\nrelated artifacts were obtained for 18 of the 38 projects. The 18 projects\nwere: NIBIN, ITS-II, BRIDG, CODIS, DCS, DCU, EDMS, FTTTF, IDW, LEO,\nNCIC, N-DEx, R-DEx, SCION, TRP, TSC, CITP, and JGMS. In addition to the\nNIBIN contract waiver, component explanations for not submitting this item\nincluded that the documents had not yet been developed, were not\napplicable, or were no longer available if they were developed several years\nago.\n\nValidation and Verification Plans\n\n       Validation and verification plans describe the testing strategies that\nwill be used throughout a project\xe2\x80\x99s life-cycle phases. Such plans should\ninclude descriptions of contractor, government, and appropriate independent\nassessments required by the project. They should also reflect the major\nreviews that will be performed through the project. However, the SDLC\ndoes not require that any validation and verification be performed\nindependently.\n\n       The FBI LCMD also requires this plan and defines verification and\nvalidation as a disciplined approach to assessing software products\nthroughout the software development life cycle to ensure that quality is built\ninto the software and that the software satisfies business functional\nrequirements. Verification and validation employs review, analysis, and\ntesting techniques to determine whether a software product and its\nintermediate deliverables comply with business functional requirements and\nquality attributes. The LCMD specifically defines verification as the process\n\n      24\n           This number includes one quality management plan counted five times because it\nis being used for five DEA projects (Item #83).\n\n\n                                           36\n\x0cof determining whether products in a given phase of the development\nprocess fulfill the requirements established during the previous phase and\nvalidation as the process of evaluating software at the end of the software\ndevelopment process to ensure compliance to software requirements.\n\n       Components provided 8 validation and verification plans and 14 other\nrelated artifacts for 10 projects. We accepted test plans in response to this\ndocument request for three projects. In our judgment, verification and\nvalidation plans should include more than software testing. Requirements\nand design products should also be subject to verification and validation.\nThe ten projects we determined responded to this item were: DEA\xe2\x80\x99s E-\nCommerce, EIS, Merlin, and M204, the FBI\xe2\x80\x99s IAFIS and TSC, JMD\xe2\x80\x99s CITP,\nIWN, and JCON, and OJP\xe2\x80\x99s JGMS. The other 28 projects did not provide a\nvalidation and verification plan or we did not accept minimal test\ndocumentation that was submitted in response to this request. In addition\nto the NIBIN contract waiver, component explanations for not submitting\nthis item included that the documents had not yet been developed, were not\napplicable, or were no longer available if they were developed several years\nago.\n\nTest Plans\n\n     Both the SDLC and FBI LCMD specify test master plans that should\ndocument the scope, content, methodology, sequence, management of, and\nresponsibilities for test activities. The testing should include integration,\nsystem, user acceptance, and security testing.\n\n      Components provided 51 test plans and 19 other related artifacts for\n30 projects. These represent plans for different types of testing and testing\nof various modules or functions of the same system such as security,\nacceptance, functional, maintainability, report generation, and integration\ntests. Of the eight projects not represented, three had not reached the\nappropriate stage of the life cycle for this document: CODIS-Next\nGeneration project, NGI, and LCMS. 25 Of the remaining five projects, only\nITS-II responded that the item was not applicable. There were no specific\nresponses on the other four projects (BRIDG, IDW, SCION, and TRP).\n\n\n\n\n       25\n           It was beyond the scope of this audit to ensure that we obtained test plans for\nevery appropriate module, phase, or function of each project. We are reporting what we\nobtained in response to the request for studies, plans, and evaluations.\n\n\n                                             37\n\x0cConversion Plans\n\n      The SDLC calls for conversion plans to be prepared during the design\nphase of the life cycle to document the results of design work on conversion\nand transition strategies if information needs to be converted or migrated to\nthe new system. The plans should describe the strategies involved in\nconverting data from the existing to the new environment. Because the\nFBI\xe2\x80\x99s LCMD requires transition plans to include data conversion issues, we\nrequested transition plans for the FBI projects.\n\n      Components provided 13 conversion and transition plans for 10\nprojects. Most of these were FBI transition plans, although JMD submitted\nconversion plans for the Classified Information Technology Program (CITP)\nand Unified Financial Management System (UFMS) projects, the BOP\nsubmitted a plan for ITS-II, and JMD submitted two related artifacts for\nJCON. In addition to the NIBIN contract waiver, component explanations for\nnot submitting this item included that the documents had not yet been\ndeveloped, were not applicable, or were no longer available if they were\ndeveloped several years ago.\n\nImplementation Plans\n\n       According to the SDLC, implementation plans are to be prepared\nduring the design phase to describe how the system will be deployed,\ninstalled, and transitioned into an operational status. The FBI LCMD refers\nto its comparable plan as an installation plan.\n\n      Components provided 29 implementation, deployment, or installation\nplans and 21 other related artifacts for 24 projects. Component\nexplanations for the 14 other projects not represented in this item included\nthat the documents had not yet been developed, were not applicable, or\nwere no longer available if they were developed several years ago.\n\nTraining Plans\n\n       The SDLC also calls for training plans to be prepared during the design\nphase. The training plan should outline the objectives, needs, strategy, and\ncurriculum to be addressed when training users on the new or enhanced\ninformation system. The training plan should present the activities needed\nto support the development of training materials, coordination of training\nschedules, reservation of personnel and facilities, and other training-related\ntasks.\n\n\n                                      38\n\x0c      Components provided 16 training plans and 5 other relevant artifacts\nfor 19 projects. Component explanations for the 19 other projects not\nrepresented in this item included that the documents had not yet been\ndeveloped, were not applicable, or were no longer available if they were\ndeveloped several years ago.\n\nContingency and Continuity of Operations Plans\n\n      The DOJ SDLC specifies contingency planning as a function of the\ndevelopment phase of a system\xe2\x80\x99s life cycle. The SDLC cites OMB A-130 as\nrequiring the preparation of plans for general support systems and major\napplications to ensure continuity of operations. The purpose is to provide for\nthe continuation of critical mission and business functions in the event of\ndisruptions. The plans are known by various names, such as disaster\nrecovery, continuity of operations, or contingency plans.\n\n      We obtained 23 contingency plans or continuity of operations plans\nand 1 related artifact for 19 projects. Component explanations for the 19\nother projects not represented in this item included that the documents had\nnot yet been developed or were not applicable.\n\nDisposition Plans\n\n      Disposition plans are intended to end the operation of a system in a\nplanned, orderly manner and to ensure that system components and data\nare properly archived or incorporated into other systems. The plan should\nbe developed during the disposition phase, according to the SDLC, which\nbegins when a decision is made to terminate or replace a system.\n\n      Components provided one disposition plan for JMD\xe2\x80\x99s PKI and one other\nrelated artifact for the FBI\xe2\x80\x99s DCU. The PKI document was prepared early in\nthe PKI life cycle. It was our understanding that the DEA\xe2\x80\x99s M204 corporate\nsystems and the BOP\xe2\x80\x99s ITS-II were both nearing the end of their life cycles,\nbut other systems in the revised inventory were not yet at that stage.\n\n\n\n\n                                     39\n\x0cEvaluations\n\n      During our field work for this audit, we requested IT project test\nreports, ongoing reviews of project status, and earned value management\n(EVM) reports to obtain information to describe IT planning problems within\nthe Department. We obtained 42 test reports and 25 other relevant artifacts\nfor 24 projects. We also obtained 86 documents and other related artifacts\nfor 25 projects that we categorized as ongoing performance evaluations.\nThese items included Dashboard reports to the OCIO, EVM spreadsheets,\nproject reviews, results of gate reviews for FBI projects, project status\nreports, briefings for component and Departmental managers, and lessons\nlearned statements. We found that most of these materials presented status\ninformation needed for project management and decision-making, but were\nnot necessarily directed at describing planning problems. These items are\nincluded in the compliance matrix and list of unique documents in\nappendices IV and V.\n\n      To obtain information about the effectiveness of system development\nand acquisition efforts, we have limited our assessment of evaluations in this\naudit report to full reports produced about problems experienced during\nprojects, or reports about systems and projects following implementation of\nthe system. We requested post-implementation review reports, which\ninclude in-process review reports and user satisfaction review reports.\n\nPost-Implementation Review Reports\n\n       According to the SDLC, post-implementation reviews are conducted\nafter a system has been in production for a period of time and are used to\nevaluate the effectiveness of the system development. The review should\ndetermine whether the system does what it was designed to do, supports\nusers as required, and was successful in terms of functionality, performance,\nand cost benefit. It should also assess the effectiveness of the development\nactivities that produced the system. The review results should be used to\nstrengthen the systems as well as the component\xe2\x80\x99s system development\nprocedures.\n\n      In-process reviews are performed during operations and maintenance\nto assess system performance and user satisfaction, and should occur\nrepeatedly after a system has been implemented to ensure the system\ncontinues to meet needs and perform effectively.\n\n    The FBI LCMD does not require a post-implementation review as such.\nHowever, it does specify annual project-level operational reviews that are\n\n                                     40\n\x0cconducted by the operations and maintenance organization to ensure that\nthe fielded system is continuing to support its intended mission and can be\ncontinuously supported, operated, and maintained in the future in a cost-\neffective manner. The FBI LCMD also calls for acceptance reviews at the\ntime of implementation.\n\n       Components provided seven post-implementation reports and six other\nrelevant artifacts for ten projects. These are discussed in Finding 2 of this\nreport. Component explanations for the 28 other projects not represented in\nthis item included that the documents had not yet been developed, were not\napplicable, or were no longer available if they were developed several years\nago.\n\nConclusion\n\n      We found the highest levels of compliance with studies, plans, and\nevaluations in the areas of business case documents, which become part of\nthe Department\xe2\x80\x99s annual budget process and are required to obtain funding\nfor each system or project, and security plans, which are required for\nprojects to obtain authorization to operate. The components provided at\nleast one business case document for 36 of the 38 systems in the inventory.\nThe two exceptions, the FBI\xe2\x80\x99s Investigative Data Warehouse (IDW) and\nSecure Compartmented Information Operational Network (SCION), are\nincluded in an \xe2\x80\x9cumbrella\xe2\x80\x9d business case that represents the Department\xe2\x80\x99s\nconsolidated enterprise infrastructure (CEI). The business case document is\nthe single document type for which we found 100 percent compliance.\n\n      System security plans also had a high level of compliance and we\nobtained security plans for 32 of the 38 projects. The six other projects\nwere either too early in the life cycle for preparation of this document, or a\ndraft security plan was undergoing review. Components also demonstrated\na high level of compliance with PIAs, and we found acceptable explanations\nfor the projects that did not submit a PIA. Components also provided\nproject management plans for 29 of the 38 projects, and explained all but\none of those exceptions.\n\n       However, we found compliance in the areas of systems engineering\nmanagement, configuration management, quality assurance, validation and\nverification, and training plans was significantly lower.\n\n       Departmental oversight is designed to focus on the Capital Planning\nand Investment Control process for selecting and prioritizing IT investments.\nIt is not designed to enforce policies and procedures on IT project\n\n                                      41\n\x0cdocumentation. 26 Department-level oversight of individual IT projects is\nperformed through presentations to the Departmental Investment Review\nBoard, the CIO\xe2\x80\x99s Dashboard report, and through the OMB exhibit 300s, all of\nwhich are described in the second report in this series. This oversight\nincludes tracking of actual performance against scheduled milestones and\ncosts, but does not involve JMD officials in the details of IT documentation\nfor individual projects.\n\n      Based on the limited number of plans and evaluations produced on\nthese major systems and projects, the CIO should evaluate why project\nteams do not prepare certain plans and evaluations, reassess the utility of\nthose documents, and consider revising the standards for producing IT\nstudies, plans, and evaluations for individual IT projects.\n\nRecommendations\n\nWe recommend that the Department\xe2\x80\x99s CIO:\n\n   1. Evaluate why project teams do not prepare certain plans and\n      evaluations, reassess the utility of those documents, and consider\n      revising the standards for producing IT studies, plans, and evaluations\n      for individual IT projects.\n\n   2. Consider revising the guidelines for tailoring the work pattern for\n      specific types of projects.\n\n\n\n\n      26\n           The CIO does have specific responsibilities to enforce security standards.\n\n\n                                             42\n\x0cFinding 2: IT Planning Problems\n\n        Prior OIG reports have identified IT planning problems that\n        resulted in terminated projects, delays in implementation, cost\n        increases, and problems with system data. Significant\n        problems in planning that have been identified include\n        weaknesses in contract management, business process re-\n        engineering (BPR) and defining system requirements, and\n        coordination between federal agencies. We originally planned\n        to use evaluations we obtained from components to identify\n        problems the Department has experienced in planning for IT\n        systems. However, components have produced few\n        meaningful evaluations of project management for either\n        successful or failed IT projects. Therefore, we reviewed prior\n        OIG reports and sought other reports performed or sponsored\n        by the Department that identified IT planning problems.\n\n       To identify problems the Department has experienced in planning for\nIT systems and projects, we reviewed previous OIG audit and inspection\nreports. We used OIG performance audits, financial statement audits,\ninformation technology security audits, and inspections to help identify the\nscope of problems the Department has experienced in IT planning. The\nfocus of the audits and reviews varied and included general IT management,\nthe management and progress of individual IT projects, the performance of\nindividual systems following implementation, system security, and system\ncontrols. The OIG reports we reviewed are listed in Appendix VII. We also\nreviewed special reports prepared for the FBI on the terminated VCF project.\n\n       The overall objective for the IT standards described in the Introduction\nto this report is to improve the acquisition, use, and disposal of information\ntechnology by the federal government so as to improve the productivity,\nefficiency, and effectiveness of federal programs. Prior OIG reports have\nidentified IT planning problems that resulted in terminated efforts,\nimplementation delays, problems with data in implemented systems, and\ncost overruns. 27 The OIG reports described causes for the terminations,\ndelays, and other problems that include weaknesses in contract\nmanagement, project scheduling, BPR, requirements definition, and\ncooperation between federal agencies.\n       27\n           Some of the systems and initiatives included in this analysis were not included in\nthe revised inventory but were the subject of OIG reports. All of the systems and initiatives\nin the revised inventory used for this audit either were implemented or are currently in\ndevelopment.\n\n\n                                             43\n\x0c       During this audit we looked for any IT projects that had either failed or\nbeen terminated, such as the FBI\xe2\x80\x99s VCF and LIMS projects discussed below.\nThe OIG found during work on the second report in this series that a prior\neffort on JMD\xe2\x80\x99s Justice Consolidated Office Network (JCON) project had been\nterminated before beginning the current project in FY 2001. JMD, however,\nwas not able to provide an evaluation of the failure. In our opinion, failure\nto evaluate why a contract failed suggests a serious gap in evaluating\nproject management practices. We believe that troubled and terminated\nprojects should be evaluated to determine the causes of the problems.\n\nBusiness Process Re-engineering and Requirements Weaknesses\n\n      The DOJ SDLC indicates that BPR should be the underpinning of any\nnew system development or initiative as part of strategic planning for\ninformation systems, and that agencies should consider BPR before\nrequesting funding for a new project or system development effort. BPR is\ndefined as the redesign of the organization, culture, and business processes\nusing technology as an enabler to achieve significant improvements in cost,\ntime, service, and quality. The results of successful BPR are increased\nproductivity and quality improvements.\n\n       The FBI\xe2\x80\x99s effort to develop a case management system to replace its\nobsolete Automated Case Support system has been subject to project\nrestarts or continuations with new titles twice since its initiation. 28 The first\neffort, undertaken in mid-2001 as the User Applications Component of the\nTrilogy project, was originally scheduled to be implemented in 2004. This\neffort was never implemented because the vision and functional\nrequirements for the system changed significantly during the project. After\nthe attacks of September 11, 2001, and other events affecting the FBI, the\nvision for the system changed from one that would simply consolidate\nexisting applications to one that would implement a new overall workflow\nprocess for FBI agents, analysts, and support personnel.\n\n\n\n\n       28\n           Department of Justice, Office of the Inspector General, The Federal Bureau of\nInvestigation\xe2\x80\x99s Management of the Trilogy Information Technology Modernization Project,\nAudit Report 05-07, February 2005.\n\n\n                                            44\n\x0c       The effort subsequently became the Virtual Case File (VCF) project.\nThe VCF was intended to make criminal and terrorist investigation\ninformation readily accessible throughout the FBI. However, the FBI did not\naccept an initial delivery from the contractor in December 2003 because the\nsystem was not fully functional and did not meet FBI requirements.\nSubsequent deliveries did not occur because of difficulties experienced in\ncompleting the initial version of the VCF. The FBI told auditors that\nsubsequent deliveries were not being pursued given the problems in the first\ndelivery. The OIG report on the VCF project stated that one of the most\nsignificant problems with managing the schedule, cost, and technical aspects\nof Trilogy was the lack of a firm understanding of the design requirements\nby both the FBI and contractors. During the initial years of the project, the\nFBI had no firm design baseline or roadmap for Trilogy. According to one\nFBI official, Trilogy\xe2\x80\x99s scope grew by about 80 percent from the initiation of\nthe project. The FBI terminated the VCF portion of Trilogy in March 2005\nafter spending $170 million because of the lack of progress on its\ndevelopment and concerns that the development environment would make\nthe system difficult to enhance and maintain. As discussed in two OIG audit\nreports, the effort has been re-started as the $425 million Sentinel project,\nwhich is scheduled for completion in December 2009. 29\n\n      A contracted study of the FBI\xe2\x80\x99s terminated Virtual Case File project\nfound that the original plans for the case management portion of the Trilogy\nproject were not based on a new vision of how the FBI could use IT to\ntransform the way it performs its mission. Specifically, the unpublished\nreport indicated that senior managers were not involved in efforts to re-\nengineer business processes or in rethinking the FBI\xe2\x80\x99s use of IT, and that\nwhile users working on the re-engineering were experienced agents, none\nhad experience with complex IT development projects or business process\nre-engineering.\n\n\n\n\n       29\n           Department of Justice, Office of the Inspector General, The Federal Bureau of\nInvestigation\xe2\x80\x99s Pre-Acquisition Planning For and Controls Over the Sentinel Case\nManagement System, Audit Report 06-14, March 2006.\n\n       and\n\n          Department of Justice, Office of the Inspector General, Sentinel Audit II: Status\nof the Federal Bureau of Investigation\xe2\x80\x99s Case Management System, Audit Report 07-03,\nDecember 2006.\n\n\n                                             45\n\x0c       Another terminated project at the FBI was an initiative to implement a\nnew Laboratory Information Management System (LIMS) to replace its\nEvidence Control System, which was originally created in 1978. 30 The LIMS\ncontract was awarded in September 2003, was initially supposed to be\nimplemented within 90 days of contract activation, and was terminated in\nJanuary 2006 due to concerns over security requirements. According to an\nOIG audit, the project failed because of problems meeting the FBI\xe2\x80\x99s security\nrequirements and because of delays in implementing a web-browser\ninterface.\n\n      The OIG determined that specific security requirements for the system\nwere defined late in the project, hindering the contractor\xe2\x80\x99s ability to comply.\nThe LIMS Request for Proposals (RFP) had required security to be part of the\nsystem, but the FBI strengthened its security requirements after the\ncontract award in response to high-profile espionage-related security\nbreaches in the FBI. The audit found that the FBI had failed to document\nsecurity requirements adequately and, to the extent the security\nrequirements evolved, did not clarify those changes through contract\nmodifications.\n\nCooperation Between Agencies\n\n       OIG audits and reviews have also identified difficulties when the\nDepartment attempts to work with other agencies to develop and implement\nsuccessful IT systems. For example, lack of cooperation has cost time in the\neffort to coordinate fingerprint sharing between the Department and the\nDepartment of Homeland Security (DHS). Similar problems threaten the\nsuccess of the Secure Flight Program and the Integrated Wireless Network\n(IWN).\n\n      The OIG audit of the Terrorist Screening Center\xe2\x80\x99s (TSC) efforts to\nsupport the Department of Homeland Security\xe2\x80\x99s (DHS) Secure Flight\nProgram found that the TSC had been hindered and delayed in its efforts to\nprepare for implementation by the DHS-led Transportation Security\nAdministration\xe2\x80\x99s failure to make, communicate, and comply with key\nprogram and policy decisions in a timely manner. 31 In addition to perceived\n       30\n           Department of Justice, Office of the Inspector General, The Federal Bureau of\nInvestigation\xe2\x80\x99s Implementation of the Laboratory Information Management System, Audit\nReport 06-33, June 2006.\n       31\n          Department of Justice, Office of the Inspector General, Review of the Terrorist\nScreening Center\xe2\x80\x99s Efforts to Support the Secure Flight Program, Audit Report 05-34,\nAugust 2005. Redacted\n\n                                            46\n\x0cproblems in planning at DHS, cooperation between the TSC and DHS has\nbeen weak.\n\n      The OIG has performed a series of reviews of the FBI\xe2\x80\x99s progress\ntoward achieving interoperable fingerprint identification systems with federal\nimmigration authorities. 32 Since 1999 JMD has maintained oversight of the\nintegration of the FBI\xe2\x80\x99s fingerprint identification system, Integrated\nAutomated Fingerprint Identification System (IAFIS), and the Department of\nHomeland Security\xe2\x80\x99s Automated Biometric Identification system, IDENT. The\n2001 USA Patriot Act and the 2002 Border Security Act both set\nrequirements for a data system that would allow sharing of identification\ninformation in federal law enforcement databases with immigration\nauthorities to determine whether to allow aliens to enter the United States.\n\n       Differences between the FBI and the DHS over the number (2 or 10)\nand type of fingerprints (flat or rolled) to be collected held up progress in\nthis area. DHS deployed an additional system in 2004, US-VISIT, which\nuses IDENT to collect fingerprints, and is also used by Department of State\nemployees at visa-issuing consulates. The principal barriers to achieving\ninteroperability identified in an OIG December 2004 report were the different\nfingerprint collection requirements of the two agencies, and disagreement on\nthe details of how to make information readily accessible to federal, state,\nand local law enforcement agencies. The most recent OIG report on the\nfingerprint integration issue indicated that the first barrier was resolved by\nDHS\xe2\x80\x99 May 2005 decision to implement a 10-print standard. Currently,\nefforts are underway to make IAFIS, IDENT, and US-VISIT fully\ninteroperable by December 2009.\n\n      The OIG recently released an audit report on the Integrated Wireless\nNetwork (IWN) project that is intended to enhance the ability of federal law\nenforcement agencies in the Departments of Justice, Homeland Security,\nand Treasury to communicate with each other. 33 IWN would also allow\ninteroperability with state and local law enforcement partners and meet\nmandates to use federal radio frequency spectrum more efficiently. The\nOIG\xe2\x80\x99s audit found that the project, which may cost $5 billion, is at high risk\n\n       32\n           Department of Justice, Office of the Inspector General, Follow-up Review of the\nFBI\xe2\x80\x99s Progress Toward Biometric Interoperability Between IAFIS and IDENT, Inspections\nReport I-2006-007, July 2006, is the most recent report in the series of six reports.\n       33\n         Department of Justice, Office of the Inspector General, Progress Report on\nDevelopment of the Integrated Wireless Network in the Department of Justice, Audit Report\n07-25, March 2007.\n\n\n                                            47\n\x0cof failing to deploy an integrated wireless network for use by the three\nfederal departments. The reasons include a fractured IWN partnership, lack\nof an effective governing structure for the project, and disparate\ndepartmental funding mechanisms that allow the departments to pursue\nseparate wireless communications solutions apart from IWN.\n\nContract Management Weaknesses\n\n      The OIG conducted an audit of the FBI\xe2\x80\x99s Trilogy project to assess the\nFBI\xe2\x80\x99s progress in meeting cost, schedule, technical, and performance targets\nfor the three components of Trilogy. 34 The OIG found that the VCF portion\nof the Trilogy project significantly exceeded the original schedule and\nbudget. In addition, the FBI received an additional $78 million to accelerate\nthe infrastructure and communications portions of the Trilogy project. Those\nsegments were completed by April 2004, only one month before the original\ntarget date of May 2004. The audit found that while the Trilogy project had\nsucceeded in improving the FBI\xe2\x80\x99s IT infrastructure and communications\ncapabilities, the new case management system was incomplete and would\nnot meet the FBI\xe2\x80\x99s needs. The OIG recommended the FBI monitor its\nEnterprise Architecture and apply ITIM processes to improve the FBI\xe2\x80\x99s ability\nto identify, select, and manage future IT projects. Since then, the FBI has\nimplemented a formal project management and oversight methodology, its\nLife Cycle Management Directive (LCMD), to address these weaknesses and\nthe LCMD is being used in the current Sentinel project. 35\n\n      The OIG examined the LIMS project and found that firmly managed\nschedule, cost, technical, and performance benchmarks would have raised\nwarning signs earlier in the project. The LIMS contract was awarded 14\nmonths before the FBI implemented its LCMD, a critical initiative that\nprovided the FBI with a structured IT investment management process. The\nLCMD also involves project oversight at the enterprise level. In the LIMS\naudit, the OIG made recommendations to consider whether an existing\ncommercial off-the-shelf system would meet the FBI\xe2\x80\x99s needs, ensure that\nany future laboratory information system follows the FBI\xe2\x80\x99s LCMD processes\n\n       34\n           Department of Justice, Office of the Inspector General, The Federal Bureau of\nInvestigation\xe2\x80\x99s Management of the Trilogy Information Technology Modernization Project,\nAudit Report 05-07, February 2005.\n       35\n            The FBI\xe2\x80\x99s LCMD methodology is fully documented in U.S. Department of Justice,\nOffice of the Inspector General, The Federal Bureau of Investigation\xe2\x80\x99s Pre-Acquisition\nPlanning for and Controls Over the Sentinel Case Management System, Audit Report 06-14,\nMarch 2006.\n\n\n                                            48\n\x0cand is overseen by an experienced IT project manager, and establish\ncontrols to ensure that expenses are not incurred prematurely in the\ndevelopment of a successor project.\n\n      During its annual financial statement audit, the OIG identified\ninadequate oversight of contract staff as a weakness in financial statement\naudits, specifically at OJP. 36 The OIG audit found that OJP contractors do\nnot consistently adhere to Department policies and procedures for managing\nsystem changes and do not consistently provide OJP management with\nnecessary technical and logistical information for production systems. As a\nresult, OJP management is unaware of system operational information and\nsystem modifications implemented by the contractors. The OIG concluded\nthat the OJP CIO needed to improve his oversight and monitoring of\ncontractor activities in order to reduce the risk of negative effects on OJP\noperations and financial data.\n\nIT Program Management\n\n      The OIG audit of JMD\xe2\x80\x99s Joint Automated Booking System (JABS) found\nthat booking stations installed at Bureau of Prisons (BOP) facilities were\nbrought online in April 2004, 2 years after the equipment was installed\nduring the summer of 2002. 37 According to JMD officials, the software that\nwas originally installed with the equipment had major problems that were\nnot discovered until after all 240 JABS workstations had been installed. The\n2-year delay in implementing JABS at the BOP was caused by inadequate\noversight of the contractor\xe2\x80\x99s work.\n\n      Since then, in audit reports issued in 2004 and 2005, the OIG found\nthat the Department has begun to improve its oversight and guidance of the\ncomponents\xe2\x80\x99 EA and ITIM processes on Department-developed\nframeworks. 38 In its audit of the Status of Enterprise Architecture and\nInformation Technology Investment Management in the Department of\nJustice, the OIG made recommendations for improving the Department\xe2\x80\x99s IT\n\n       36\n         U.S. Department of Justice, Office of the Inspector General, Office of Justice\nPrograms Annual Financial Statement Fiscal Year 2006, Audit Report 07-21, March 2007.\n       37\n         U.S. Department of Justice, Office of the Inspector General, The Joint Automated\nBooking System, Audit Report 05-22, May 2005.\n       38\n           Department of Justice, Office of the Inspector General, The Status of Enterprise\nArchitecture and Information Technology Investment Management in the Department of\nJustice, Audit Report 06-02, November 2005.\n\n\n                                             49\n\x0cmanagement, including completing the Department-wide Enterprise\nArchitecture, providing guidance to components for the development and\nmaintenance of EAs, ensuring that components requiring ITIM processes\ndevelop them, and establishing a clear schedule for completing the ITIM\nframework and a mature ITIM process.\n\n       In another audit, the OIG found the DEA had made significant progress\nin managing its EA and the ITIM processes. 39 Although the DEA had not yet\ndeveloped a target EA or developed a transition plan to accomplish its\ntarget, it had established a foundation by developing an overview of its\nexisting IT structure. The DEA also assigned roles, committed resources,\nand established a plan to complete its target architecture. When the EA is\ncomplete, the DEA will be able to better manage current and future IT\ninfrastructure and applications.\n\n      The OIG\xe2\x80\x99s first in a series of audits examining Sentinel evaluated its\ndevelopment and implementation by reviewing the management processes\nand controls the FBI applied to the pre-acquisition phase of Sentinel. 40 The\nOIG found that the FBI established ITIM processes through its Life Cycle\nManagement Directive (LCMD) and was working to fully define its enterprise\narchitecture. If followed, the FBI\xe2\x80\x99s new IT management processes, reviews,\nand controls, coupled with external oversight by the OIG, contractors,\ncongressional committees, and others, should help the FBI identify and\nminimize failures to achieve cost, schedule, performance, and technical\nbenchmarks for the Sentinel project.\n\n      The OIG review of the TSC identified numerous problems with data in\nthe database that is used for screening persons from consolidated terrorist-\nrelated watch lists, most of which resulted from the urgency with which the\nconsolidated database was implemented. 41 The data problems included\nincomplete, missing, and inaccurate information in records, and duplicate\nrecords containing inconsistent information. The potential effects of these\n\n       39\n          Department of Justice, Office of the Inspector General, The Drug Enforcement\nAdministration\xe2\x80\x99s Management of Enterprise Architecture and Information Technology\nInvestments, Audit Report 04-36, September 2004.\n       40\n           Department of Justice, Office of the Inspector General, The Federal Bureau of\nInvestigation\xe2\x80\x99s Pre-Acquisition Planning For and Controls Over the Sentinel Case\nManagement System, Audit Report 06-14, March 2006.\n       41\n          Department of Justice, Office of the Inspector General, Review of the Terrorist\nScreening Center, Audit Report 05-27, June 2005. (Limited Official Use and Redacted)\n\n\n                                            50\n\x0cdata integrity problems include the possibility that screeners may not\nidentify known terrorists during screening. The OIG found that these were\ncaused by a lack of strategic planning, weak planning due to the pressure to\nimplement a system, and user training weaknesses. The OIG is currently\nperforming a follow-up review on the accuracy of the TSC watchlist.\n\nPost-Implementation Evaluations\n\n      We originally planned to use evaluations we obtained from\ncomponents to identify problems the Department has experienced in\nplanning for its IT systems. However, this proved impossible because the\nDepartment has produced few meaningful evaluations of project\nmanagement for either successful or failed IT projects, with the exception of\ntwo terminated projects in the FBI.\n\n       According to the DOJ SDLC, one purpose of post-implementation\nreviews is to assess the effectiveness of the life-cycle development activities\nthat produced the system. This includes analyzing if proper limits were\nestablished in the feasibility study and if they were maintained during\nimplementation, addressing the reasons for variances between planned and\nrealized benefits, addressing the reasons for differences between estimated\nand actual costs, and evaluating whether training was adequate,\nappropriate, and timely. The review results are intended to be used to\nstrengthen the system development procedures as well as the system itself.\n\n       The DOJ ITIM Guide calls for continuous monitoring of investments to\nassess progress against established cost, schedule, and performance metrics\nin order to mitigate any risks or costs on an on-going basis. The ITIM Guide\nalso indicates that the activities of the evaluation phase include applying\nlessons learned from post-implementation reviews and periodic operational\nanalyses for ITIM process improvement. The lessons learned for ITIM\nprocess should be incorporated into the select and control phases for future\nIT investments.\n\n      We reviewed the seven post-implementation review reports we\nobtained, four of which did not contain information on lessons learned in\nproject management. The reports included two classified project closeout\nreports on two phases of one project. According to one of the reports, one\nphase was accomplished on schedule and within budget and included no\nlessons learned or discussion of any problems. The other report contained\ntwo lessons learned that were marked as unclassified. The lessons were:\n\n\n\n                                      51\n\x0c  \xe2\x80\xa2   The adequacy of contractor performance was directly related to the\n      level of oversight and attention-to-detail by the government team.\n      The recommendation associated with this lesson was to schedule face-\n      to-face meetings with the contractor and maintain that schedule.\n\n  \xe2\x80\xa2   The initial budget for the program did not include all necessary costs to\n      support external customers. The recommendation was to use an\n      independent government cost estimate to determine whether the\n      contractor\xe2\x80\x99s proposed price/cost is reasonable.\n\n       JMD\xe2\x80\x99s JCON project has produced two reports of lessons learned on the\nimplementation of JCON in two components. The report on JCON\nimplementation in the Civil Division described the need for better definition\nof project milestones and performance indicators to improve\ncommunications and develop a shared perspective on project performance.\nIt also identified needs: (1) to devote greater attention and resources to\nquality review of deliverables and other work products, (2) for closer and\nmore detailed review of requirements and design phase documentation, and\n(3) for improved adherence to change control procedures. The report on\nJCON implementation in the Civil Rights Division identified opportunities for\nimprovement in the areas of communication and thoroughness of design.\nComments in the report noted that requirements gathering needed to be as\ngood as possible to avoid problems with design and implementation.\n\n      In addition, an assessment against project performance metrics was\nperformed for one portion of the DEA\xe2\x80\x99s E-Commerce project. The evaluation\nprovided performance data, but no lessons learned information about project\nmanagement.\n\n      In light of the limited number and scope of evaluations of project\nmanagement, the Department should ensure that post-implementation\nevaluations and post-termination evaluations of IT projects are performed so\nlessons learned can be incorporated into the Department\xe2\x80\x99s standards and\nused to improve project management on future projects.\n\n\n\n\n                                      52\n\x0cConclusion\n\n      Prior OIG reports have identified planning problems on individual\nsystems and projects that include weaknesses in business process\nre-engineering, requirements planning, cooperation between agencies, and\nIT program and contract management. These weaknesses have contributed\nto:\n\n   \xe2\x80\xa2   project re-starts, cost increases, and delays in implementation of the\n       FBI\xe2\x80\x99s case management system;\n\n   \xe2\x80\xa2   termination of the FBI\xe2\x80\x99s LIMS project;\n\n   \xe2\x80\xa2   delays in implementing an interoperable fingerprint identification\n       system that can be used by the Departments of Justice, Homeland\n       Security, State, and state and local law enforcement; and\n\n   \xe2\x80\xa2   data integrity problems in the TSC database.\n\n      We originally planned to use evaluations we obtained from\ncomponents to identify problems the Department has experienced in\nplanning for IT systems. This was not possible because the Department has\nproduced almost no meaningful evaluations of project management for\neither successful or failed IT projects, with the exception of two FBI projects.\nPost-implementation evaluations and audits of individual projects identified\nweaknesses in contract management, and excessive reliance on contractors.\n\nRecommendations\n\n       We recommend that the CIO:\n\n   3. Ensure that post-implementation and post-termination evaluations are\n      conducted that focus on lessons learned for project planning and\n      management.\n\n   4. Ensure that staff receive training to obtain skills needed to adequately\n      direct and oversee contractor efforts.\n\n   5. Implement targeted reviews to improve the use of business process\n      re-engineering and requirements analysis early in concept\n      development.\n\n\n\n                                      53\n\x0c                  STATEMENT ON INTERNAL CONTROLS\n\n      In planning and performing our audit, we considered management\ncontrols for the purpose of determining the Department\xe2\x80\x99s oversight role over\nIT studies, plans, and evaluations. This evaluation was not made for the\npurpose of providing assurance on the Department\xe2\x80\x99s internal controls for IT\nas a whole.\n\n      As described in the Findings and Recommendations section of this\nreport, we identified weaknesses in the Department\xe2\x80\x99s oversight of IT studies,\nplans, and evaluations. We did not identify any additional weaknesses.\n\n      Because we are not expressing an opinion of the Department\xe2\x80\x99s internal\ncontrols over IT as a whole, this statement is intended solely for the\ninformation and use of the Department in managing its IT oversight role.\nThis restriction is not intended to limit the distribution of this report, which is\na matter of public record.\n\n\n\n\n                                        54\n\x0c                                                                   APPENDIX I\n\n                OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\n        Our audit objectives were to: (1) identify all research, plans, studies,\nand evaluations that the Department of Justice (Department) has produced,\nor is in the process of producing, concerning IT systems, needs, plans, and\ninitiatives; and (2) analyze the depth and scope of the problems the\nDepartment has experienced in the formulation of its IT plans.\n\nScope and Methodology\n\n      The audit was performed in accordance with the Government Auditing\nStandards and included tests and procedures necessary to accomplish the\nobjectives.\n\n       This audit was performed in response to a congressional request\nincluded in the Department\xe2\x80\x99s appropriation for FY 2006. This report is the\nfinal in a series of three reports prepared by the OIG in response to the\ncongressional request. Specifically, Congress instructed the OIG to present\nto the Committees on Appropriations: (1) an inventory of all major\nDepartment information technology (IT) systems and planned initiatives,\nand (2) a report that details all research, plans, studies, and evaluations that\nthe Department has produced, or is in the process of producing, concerning\nIT systems, needs, plans, and initiatives. The report is also to include an\nanalysis that will identify the depth and scope of problems the Department\nhas experienced in the formulation of its IT plans. This report responds to\nthe request for a report that details the research, studies, plans, and\nevaluations.\n\n      We identified relevant federal, Departmental, and component-specific\nrequirements and standards for IT research, studies, plans, and evaluations,\nand merged the various standards into a generic set of documents.\n\nWe performed fieldwork at the:\n\n                  Justice Management Division, Washington, D.C.;\n\n                  Drug Enforcement Administration, Arlington, Virginia; and\n\n                  Federal Bureau of Investigation, Washington, D.C.\n\n                                       55\n\x0c      We reviewed policy and procedures regarding processes related to\ncapital planning and investment control, information technology investment\nmanagement, and system development life-cycle processes.\n\n      We requested and obtained documents from the components to\ndevelop the inventory, and assessed compliance with the document\nstandards for the major systems in the inventory. We did not limit the time\nperiod of documents we requested, because some of the systems and\nprojects had been operational for many years and may have already\nprepared studies, plans, and evaluations.\n\n       To evaluate problems the Department has experienced in planning, we\nreviewed relevant audit and other independent reports, extending the scope\nof our audit work to some systems and projects that were not included in\nthe inventory of major systems. We also analyzed the evaluations obtained\nfor information about problems the Department has experienced in\nformulating IT plans.\n\n\n\n\n                                    56\n\x0c                                                               APPENDIX II\n\n                              ACRONYMS\n\n  Acronym                                Represents\nAFMS        Automated Facilities Management System\nATF         Bureau of Alcohol, Tobacco, Firearms, and Explosives\nATO         Approval to Operate\nAU          Accreditation Unit\nBOP         Bureau of Prisons\nBPR         Business Process Reengineering\nBRIDG       Biometric Reciprocal Identification Gateway\nC&A         Certification and Accreditation\nCAIR        Case Agent Image Review\nCARA        Certification and Accreditation Reporting Application\nCART        Computer Analysis Response Team\nCARTSAN     Computer Analysis Response Team Storage Area Network\nCASE        Computer Assisted Software Engineering\nCDX         Counterdrug Intelligence Executive Secretariat\nCITP        Classified Information Technology Program\nCJIS        Criminal Justice Information Services\nCM/CSA      Case Management/Common Solution Architecture\nCMP         Configuration Management Plan\nCODIS       Combined DNA Index System\nCOOP        Continuity of Operations Plan\nCPOT        Consolidated Priority Organization Target\nCSOS        Controlled Substances Ordering Systems\nDCISS       DEA Classified Infrastructure Support System\nDCS         Digital Collection System\nDCU         Data Centers Unit\nDEA         Drug Enforcement Administration\nDEEP        Data Extraction and Extension Project\nDERB        Department Executive Review Board\nDHS         Department of Homeland Security\nDIRB        Department Investment Review Board\nDME         Develop, Modify, Enhance\nEA          Enterprise Architecture\nE-Com       Electronic Commerce\nEDMS        ELSUR Data Management System\nEIMO        ELSUR Information Management Office\n\n\n                                     57\n\x0c  Acronym                                Represents\nEIS         EPIC Information Systems\nELSUR       Electronic Surveillance\nEOIR        Executive Office for Immigration Review\nEOS         Enterprise Operations Services\nEOUSA       Executive Offices for the United States Attorney\nEPCS        Electronic Prescriptions for Controlled Substances\nEPIC        El Paso Intelligence Center\nESOC        Enterprise Security Operations Center\nESS         EPIC Seizure System\nEVENTS      Events Activity Subsystem\nEVM         Earned Value Management System\nFBI         Federal Bureau of Investigation\nFCA         Facilities Certification and Accreditation\nFDF-A       Financial Disclosure Forms Analyzer\nFISMA       Federal Information Security Management Act\nFITS        Infrastructure Technology Services\nFMS         Fingerprint Matching Subsystem\nFTTTF       Foreign Terrorist Tracking Task Force\nGAN         Grant Adjustment Notice\nIAFIS       Integrated Automated Fingerprint Identification System\nIAS         Information Assurance Section\nIATI        Information Assurance Technology Infusion\nIBIS        Integrated Ballistics Information System\nIDENT       DHS Automated Biometric Identification System\niDSM        interim Data Sharing Model\nIDW         Investigative Data Warehouse\nIMA         Investigative Mainframe Application\nIMPACT      Investigative Management Program and Case Tracking System\nIMPRB       Investment Management/Project Review Board\nIODM        Input/Output Device Management\nIPR         Intellectual Property Rights\nIRIES       Immigration Review Information Exchange System\nIRSS        Intelligence Research Support System\nIT          Information Technology\nITCP        Information Technology Contingency Plan\nITD         Investigative Technologies Division\nITN         Identification Tasking and Networking\nITOD        Information Technology Operations Division\nITS-II      Inmate Telephone System II\n\n\n                                   58\n\x0c   Acronym                                     Represents\nIWN          Integrated Wireless Network\nJCON         Justice Consolidated Office Network\nJCON-S       Justice Consolidated Office Network - Secret\nJCON-TS      Justice Consolidated Office Network - Top Secret\nJGMS         Justice Grants Management System\nJMD          Justice Management Division\nJPO          Joint Program Office\nJSIT         Justice Secret Information Technology\nJWICS        Joint Worldwide Intelligence Communications System\nLAN          Local Area Network\nLCMS         Litigation Case Management System\nLEO          Law Enforcement Online\nLMIT         Lockheed Martin Integration Task\nM204         Model 204 Corporate Systems\nMADI         Manufacturers and Distributors\nMDE          Managed Development Environment\nNCIC         National Crime Information Center\nN-DEx        Law Enforcement National Data Exchange\nNDSS         National Drug Seizure System\nNGI          Next Generation Identification\nNIBIN        National Integrated Ballistics Information Network\nNIBRS        National Incident-Based Reporting System\nNICS         National Instant Criminal Background Check System\nOCDETF       Organized Crime Drug Enforcement Task Force\nOCIO         Office of the Chief Information Officer\nODAG         Office of the Deputy Attorney General\nOFC          OCDETF Fusion Center System\nOJP          Office of Justice Programs\nOMB          Office of Management and Budget\nOTIS         Operational Test for Impact on Security\nPIA          Privacy Impact Assessment\nPKI          Public Key Infrastructure\nPMO          Program Management Office\nPMP          Project Management Plan\nPMR          Program Management Review\nPOAM         Plans of Actions and Milestones\nPOC          Point of Contact\nPTA          Privacy Threshold Analysis\n\n\n                                      59\n\x0c   Acronym                                   Represents\nQAP          Quality Assurance Plan\nRAMP         Risk Assessment and Management Plan\nR-DEx        Regional Data Exchange\nRITS         Request for Information Technology Services\nRMP          Risk Management Plan\nRTM          Requirements Traceability Matrix\nSAE          Secret Administrative Enclave\nSANS         Storage Area Networks\nSCION        Secure Compartmented Information Operational Network\nSDLC         System Development Life Cycle\nSEMP         Systems Engineering Management Plan\nSITP         System Integration and Test Plan\nSMIS         Security Management Information System\nSOW          Statement of Work\nSPIU         Systems Programming & Integration Unit\nSRTM         Security Requirements Traceability Matrix\nSSAA         System Security Authorization Agreement\nSSIAC        Security System Integration and Assessment Center\nSSP          System Security Plan\nTACLANE      Tactical Fastlane\nTEMP         Test and Evaluation Master Plan\nTI           Technology Infusion Program\nTRP          Technology Refreshment Program\nTRUFACS      Trust Fund Accounting and Commissary System\nTS/SCI       Top Secret/Special Compartmented Information\nTSC          Terrorist Screening Center\nTSDB         Terrorist Screening Center Database\nUCR          Uniform Crime Reporting [Program]\nUFMS         Unified Financial Management System\nUS-VISIT     United States Visitor and Immigrant Status Indicator Technology\nW2KE         Windows 2003\nWBS          Work Breakdown Structure\n\n\n\n\n                                      60\n\x0c                                                                               Appendix III\n\n                                  IT STRATEGIC PLANS\n\n                                                                                 Document\nOrganization                          Document Title\n                                                                                    Date\nDOJ           DOJ IT Strategic Plan, Fiscal Years 2006-2011                   Jun 2006\nATF           Information Technology Strategic Plan, 2006-2011\nBOP           Information Technology Strategic Plan, FY 2004-2009\nDEA           IT Strategic Plan, FY 2005-2009\n              Strategic Plan, Information Resource Management, Fiscal Years\nEOIR                                                                          Feb 2006\n              2005-2010\nFBI           Information Technology Strategic Plan, FY 2007-2011             Oct 2005\nSource: Department of Justice components\n\n\nOther studies, plans, and evaluations are listed in Appendix VI with the\nsummary of each system or project.\n\n\n\n\n                                               61\n\x0c                                                                                                              APPENDIX IV\n                                                COMPLIANCE MATRIX 42\n\n                                      DEA                                                DEA           DEA\n             Test Name                            DEA E-Com          DEA EPIC                                 DEA Merlin\n                                    Concorde                                           Firebird        M204\n      Market/Other Research                                            427, 432           1379\n                                                                     77, 428, 430,\n       Business Case Studies           26, 32       58, 61, 64                        123, 136, 1378    80        271\n                                                                      1401, 1403\n    Privacy Impact Assessment           35             56                1411\n                                                                    417, 429, 1404,\n      Risk Management Plans            46, 47         60, 72                                           1394     261, 271\n                                                                         1408\n            Acquisition Plans           49                              1400              1380                    271\n                                                                      419, 1402,      128, 129, 133,    82,\n             Project Plans             42, 48       70, 71, 68                                                  266, 268\n                                                                         1405              135         1022\n                                                                    420, 421, 431,\n             Security Plans            25, 50          74                             124, 140, 1021    85        272\n                                                                         1400\n      Systems Engineering                                                                                      1427, 1428,\n                                                       65             424, 1400\n       Management Plans                                                                                           1429\n    Configuration Management\n                                       28, 29          53             425, 1400            116          81        1431\n               Plans\n     Quality Assurance Plans            83             67                 83               130          83      83, 1432\n    Verification and Validation                                                                                1423, 1424,\n                                                       75                426                            79\n               Plans                                                                                           1425, 1426\n             Test Plans                 44            52, 75          1409, 1412           131         1420       1384\n         Conversion Plans\n      Implementation Plans              41             65                               118, 139               1430, 1433\n\n\n       42\n           The numbers in the columns refer to the document numbers in Appendix V. For example, the number 32\nunder Business Case Studies for DEA Concorde refers to Appendix V, item number 32, which is the Cost/Benefit\nAnalysis Report for IMPACT, (a part of the Concorde project). Numbers shown in normal font are documents we are\nreporting as studies, plans, and evaluations, as opposed to other artifacts we accepted as contributing to compliance in\neach area, which are shown in italics. Shaded cells indicate that we obtained no documents or other artifacts that we\naccepted in response to our request.\n\n\n                                                               62\n\x0c                             DEA                                            DEA           DEA\n     Test Name                              DEA E-Com       DEA EPIC                             DEA Merlin\n                           Concorde                                       Firebird        M204\n    Training Plans             51              76              423                                   1422\n  Contingency/ COOP           30, 31          54, 55           422            141                     259\n   Disposition Plans\nRequirements Evaluations\n\n                                                                                                 257, 258, 260,\n    Test Evaluations       23, 24, 40, 50      73           1410, 1412     131, 137       1421\n                                                                                                   272, 1385\n                                                                         117, 120, 121,\nPerformance Evaluations         38                                                               262, 264, 265\n                                                                           132, 138\n  Post-implementation\n                                               57                             117\n      Evaluations\n\n\n\n\n                                                       63\n\x0c                                                                                         JMD\n       Test Name              JMD CITP            JMD IWN              JMD JCON                      JMD PKI          JMD UFMS\n                                                                                        LCMS\n Market/Other Research             154                1388               227, 1012        250            232         1417, 1418, 1419\n                                                                       227, 228, 229,   248, 250,   216, 217, 232,\n  Business Case Studies       157, 158, 173    198, 201, 206, 1389                                                      90, 91, 99\n                                                                            387         252, 256      233, 1017\n                              161, 162, 175,\nPrivacy Impact Assessment                                                380, 390         1383           235              1399\n                                   176\n                                                                       387, 391, 392,\n                                                                                                    225, 231, 236,\n Risk Management Plans        180, 181, 182      204, 206, 211         393, 394, 398,     254                          99, 101, 110\n                                                                                                      239, 240\n                                                                       399, 400, 408\n                                                                       374, 387, 391,\n    Acquisition Plans         142, 159, 173         195, 206                                                            86, 87, 99\n                                                                       392, 393, 394\n                              155, 171, 177,                           387, 391, 392,\n      Project Plans                              205, 209, 1004                         254, 255      236, 1008           93, 94\n                                   179                                 393, 394, 1005\n                                                                       387, 391, 392,\n      Security Plans          183, 188, 189      199, 206, 214                                        231, 244        100, 103, 105\n                                                                       393, 394, 404\n  Systems Engineering\n                                   152                205                   407                                            96\n   Management Plans\nConfiguration Management\n                                146, 147              196                   372           253         219, 220            88, 89\n           Plans\n                                                                       376, 377, 378,\n Quality Assurance Plans                              210              379, 382, 388,     254         230, 236             95\n                                                                            395\nVerification and Validation\n                                153, 190         192, 193, 194              384\n           Plans\n                              153, 168, 184,\n        Test Plans                             192, 193, 194, 213        405, 406                        245               97\n                                185, 186\n    Conversion Plans              150                                    379, 382                                           92\n  Implementation Plans          151, 187            203, 215             379, 382                        222               106\n     Training Plans               145                 208                379, 382                        247               109\n   Contingency/ COOP            148, 149              197                   373                          226\n    Disposition Plans                                                                                    218\nRequirements Evaluations\n                              143, 160, 168,\n     Test Evaluations                                 212                401, 403                   231, 242, 246\n                                   186\n\n\n\n\n                                                                  64\n\x0c                                                                      JMD\n     Test Name            JMD CITP   JMD IWN        JMD JCON                JMD PKI         JMD UFMS\n                                                                     LCMS\nPerformance Evaluations                202               375                221, 223, 243      99\n Post-implementation                                371, 385, 386,\n                                       202                                      238\n     Evaluations                                         402\n\n\n\n\n                                               65\n\x0c                                 ATF\n      Test Name                               BOP ITS-II        EOIR e-World           ODAG OFC            OJP JGMS\n                                NIBIN\n                                                                                     1369, 1370, 1371,\n Market/Other Research            7, 8            416                  854           1372, 1374, 1375,\n                                                                                        1376, 1377\n                                                                                     276, 292, 294, 304,   345, 349, 360,\n  Business Case Studies            8            18, 1392            111, 112\n                                                                                          316, 327              364\nPrivacy Impact Assessment          9              20                   860                  320\n                                                                                     316, 318, 326, 328,\n Risk Management Plans          7, 8, 13        412, 413          112, 114, 115                            360, 364, 368\n                                                                                          330, 331\n    Acquisition Plans             8, 12           19                   112             274, 275, 306            364\n                                                                                       321, 322, 323,\n      Project Plans                               412             851, 852, 853                            352, 353, 360\n                                                                                        1013, 1014\n\n      Security Plans               14             21            113, 863, 865, 867          334                 340\n\n  Systems Engineering\n                                                  415\n   Management Plans\nConfiguration Management\n                                                                    856, 857                                 341, 363\n           Plans\n Quality Assurance Plans                                               868                83, 321\n                                                                                                           346, 347, 348,\nVerification and Validation\n                                                                                                           350, 351, 357,\n           Plans                                                                                                360\n                               15, 1397,                                             284, 288, 303, 324,\n        Test Plans                                                     864                                 346, 347, 348\n                                 1398                                                     325, 335\n    Conversion Plans                              22\n                              1413, 1414,                                                                  352, 353, 356,\n  Implementation Plans                            22              851, 852, 853             287\n                              1415, 1416                                                                        360\n     Training Plans               17                                                        289                 359\n  Contingency/ COOP               2, 3            414                  855                  305                 342\n    Disposition Plans\nRequirements Evaluations\n                                                                                     278, 279, 281, 282,\n                              15, 16, 1395,                                                                345, 350, 351,\n     Test Evaluations                             409                  864           290, 297, 335, 336,\n                                  1396                                                                     357, 366, 1390\n                                                                                            338\n\n\n\n                                                           66\n\x0c                           ATF\n     Test Name                       BOP ITS-II   EOIR e-World     ODAG OFC            OJP JGMS\n                          NIBIN\n                                                                 277, 298, 300, 301,\n                                                                                       343, 344, 354,\nPerformance Evaluations   7, 8, 11                    862        308, 309, 310, 313,\n                                                                                       355, 358, 364\n                                                                        314\n Post-implementation\n                                                                        311\n     Evaluations\n\n\n\n\n                                             67\n\x0c                               FBI          FBI         FBI\n      Test Name                                                     FBI DCS         FBI DCU        FBI EDMS        FBI FTTTF\n                              BRIDG       CARTSAN      CODIS\n Market/Other Research\n                                                                     493, 494,                       540, 542,\n                              454, 455,    437, 444,   465, 467,                                                   558, 559, 562,\n  Business Case Studies                                              495, 523,       486, 489        550, 552,\n                              457, 1036      1023      468, 469                                                      563, 1026\n                                                                      1024                             1025\nPrivacy Impact Assessment        459         446         471         510, 511                           529\n                                                                                     478, 487,\n Risk Management Plans        458, 462     447, 448    473, 474        521                         547, 548, 549     565, 566\n                                                                                     488, 489\n     Acquisition Plans                                   475\n                                                                     498, 501,\n                                                                                     481, 487,\n       Project Plans             456         450       466, 472      516, 517,                       544, 545           564\n                                                                                   488, 489, 490\n                                                                   518, 519, 528\n                                                                     497, 499,\n                                                       464, 470,\n      Security Plans                       435, 449                  500, 522,     479, 489, 492     530, 553\n                                                         476,\n                                                                   524, 525, 526\n  Systems Engineering\n                                                                                                                        567\n   Management Plans\nConfiguration Management\n                                             438                       496                             532\n           Plans\n Quality Assurance Plans                     439\nVerification and Validation\n           Plans\n                                                                                                                   560, 568, 569,\n        Test Plans                           436                       527             485           531, 555\n                                                                                                                     570, 571\n    Conversion Plans                                                                                   554\n  Implementation Plans                       434                                                       537              561\n     Training Plans                          442                                                       551\n   Contingency/ COOP                                     477                           480             533\n    Disposition Plans                                                                  484\nRequirements Evaluations\n     Test Evaluations                        436\n\n\n\n\n                                                        68\n\x0c                           FBI         FBI        FBI\n     Test Name                                           FBI DCS    FBI DCU     FBI EDMS        FBI FTTTF\n                          BRIDG      CARTSAN     CODIS\n                                                                    483, 484,\n                                                                                  535, 536,\nPerformance Evaluations   460, 461    441, 443    463    509, 520   487, 488,\n                                                                                538, 543, 546\n                                                                    489, 491\n\n Post-implementation\n                                                           514\n     Evaluations\n\n\n\n\n                                                 69\n\x0c      Test Name               FBI IAFIS       FBI IATI          FBI IDW     FBI LEO        FBI NCIC        FBI N-DEx\n\n Market/Other Research\n                                                600, 601,                                    668, 674,\n  Business Case Studies           1027                                         1017                        695, 697, 1029\n                                              605, 611, 612                                    1028\nPrivacy Impact Assessment                          613                                                        1386\n  Risk Management Plans                       616, 617, 618     631, 632       656           683, 684        700, 701\n     Acquisition Plans\n\n       Project Plans                          598, 609, 614                  646, 653      679, 680, 682     699, 1387\n\n      Security Plans            588, 591      619, 623, 624       633          642           685, 688           702\n  Systems Engineering\n                                592, 593          621                                          687\n   Management Plans\nConfiguration Management\n                                  582             602                          647             669\n           Plans\n Quality Assurance Plans          589             615\nVerification and Validation\n                                  586\n           Plans\n                                                                             637, 638,       675, 676,\n        Test Plans              577, 584      625, 626, 627                                                     694\n                                                                           639, 655, 657     686, 690\n    Conversion Plans            596, 597          629             636          659           691, 693\n                                                                             643, 644,\n                                574, 576,\n  Implementation Plans                          608, 622          630        649, 650,         670\n                              579, 580, 583\n                                                                             651, 652\n     Training Plans             587, 595          628             635                          681\n   Contingency/ COOP                                                           645\n    Disposition Plans\nRequirements Evaluations\n                                573, 575,                                                    665, 672,\n     Test Evaluations                                             634\n                              578, 581, 585                                                673, 677, 678\n\n Performance Evaluations          594         599, 604, 610                640, 641, 658\n\n\n\n                                                           70\n\x0c   Test Name          FBI IAFIS   FBI IATI     FBI IDW   FBI LEO   FBI NCIC   FBI N-DEx\n\nPost-implementation\n                         594        606                              689\n    Evaluations\n\n\n\n\n                                          71\n\x0c                                                               FBI R-        FBI      FBI\n      Test Name                 FBI NGI        FBI NICS                                            FBI SMIS           FBI TRP     FBI TSC\n                                                                DEx         SCION   Sentinel\n Market/Other Research\n                              703, 704, 705,\n                                                                                    766, 775,      784, 788, 797,     835, 836,\n  Business Case Studies       706, 707, 708,    731, 1031       1032                                                              849, 1035\n                                                                                      1033         819, 820, 825        1034\n                              714, 716, 1030\n                              719, 720, 721,\nPrivacy Impact Assessment                                                    751       1434        791, 792, 798\n                                   722\n Risk Management Plans          728, 729                         662                 769, 772    816, 817, 818, 832               840, 845\n                                                                                     755, 773,\n     Acquisition Plans\n                                                                                    1037, 1038\n                                                                                    757, 759,\n       Project Plans             715, 726                                                        812, 813, 814, 823               844, 849\n                                                                                    761, 770\n\n\n      Security Plans                             744, 746      663, 664      753                     826, 827                     839, 846\n\n\n  Systems Engineering\n                                                                                       776\n   Management Plans\nConfiguration Management\n                                   709             732                       752       758              785\n           Plans\n Quality Assurance Plans           727             743                                 771              815\nVerification and Validation\n                                                                                                                                    848\n           Plans\n                                                                                                                                  842, 847,\n        Test Plans                             730, 737, 747     660                   777         782, 829, 831\n                                                                                                                                    848\n    Conversion Plans                             742, 749\n                                                 740, 741,\n  Implementation Plans                                                                                                              838\n                                                 745, 750\n     Training Plans                                                                                     833\n  Contingency/ COOP                              733, 735\n    Disposition Plans\nRequirements Evaluations\n    Test Evaluations                             739, 748        661         754                 778, 783, 828, 830                 843\n\n\n\n                                                                       72\n\x0c                                                      FBI R-    FBI      FBI\n     Test Name             FBI NGI         FBI NICS                                  FBI SMIS           FBI TRP   FBI TSC\n                                                       DEx     SCION   Sentinel\n                                                                                     786, 793, 794,\n                                                                       760, 762,     799, 800, 801,\n                          710, 711, 713,\nPerformance Evaluations                                                763, 764,     802, 803, 804,       836       850\n                               725\n                                                                       765, 1039     805, 806, 807,\n                                                                                   808, 809, 810, 811\n Post-implementation\n     Evaluations\n\n\n\n\n                                                          73\n\x0c                                                                               APPENDIX V\n\n                    DOCUMENTS AND OTHER ARTIFACTS 43\n\nItem ID               System or\n        Component                                          Title                            Date\nNumber                 Project\n      2   ATF          NIBIN      Contingency Plan - Appendix I, NIBIN\n      3   ATF          NIBIN      Contingency Plan, NIBIN and IBIS                          Jun 2005\n      7   ATF          NIBIN      OMB Exhibit 300 for BY 2005                              Feb 2004\n      8   ATF          NIBIN      OMB Exhibit 300 for BY 2007                              May 2006\n      9   ATF          NIBIN      Privacy Threshold Analysis, IBIS\n     11   ATF          NIBIN      Project Management Review, NIBIN, Undated\n                                  Request for Justification for Other Than Full and Open\n     12     ATF         NIBIN                                                               Jan 2002\n                                  Competition\n     13     ATF         NIBIN     Risk Assessment, NIBIN and IBIS                          Jun 2005\n     14     ATF         NIBIN     Security Plan, NIBIN and IBIS                            Jun 2005\n     15     ATF         NIBIN     Security Test and Evaluation, NIBIN                      Dec 2005\n     16     ATF         NIBIN     Security Testing and Evaluation, NIBIN                   Dec 2005\n     17     ATF         NIBIN     NIBIN Training Set 11, Version 1.2, Draft\n                                  Analysis of Alternatives, Next Generation Inmate\n     18     BOP         ITS-II                                                              Jul 1996\n                                  Telephone System\n     19     BOP         ITS-II    Individual Acquisition Planning                           Jan 1997\n     20     BOP         ITS-II    Privacy Impact Assessment                                Apr 2006\n     21     BOP         ITS-II    Inmate Telephone System (ITS-II) Security Plan           Dec 2004\n     22     BOP         ITS-II    Site Network Integration Plan, ITS-II/TRUFACS            Nov 2001\n                                  Accreditation Statement for Inclusion into Web\n     23     DEA       Concorde                                                              Jul 2002\n                                  Architecture IMPACT\n                                  Accreditation Statement, Office of Information\n     24     DEA       Concorde                                                             Oct 2004\n                                  Systems, Web Infrastructure\n                                  Action Plan, Independent Evaluation Pursuant to the\n     25     DEA       Concorde\n                                  FISMA FY 2004, DEA IMPACT System\n                                  Business Modeling Specification, IMPACT, BPR Task\n     26     DEA       Concorde                                                             Sep 2004\n                                  Order #1, Version 1.0\n                                  Configuration Management Plan, Concorde QA\n     28     DEA       Concorde                                                             Oct 2004\n                                  Findings Report\n\n\n\n      43\n          Documents and other artifacts are listed by document number assigned by\nauditors. This Appendix should be used with Appendix IV. This listing includes many\nacronyms associated with the systems and projects, but which were not used in the report.\nWe included acronyms in the list in Appendix II for reference. Blank cells in the Date\ncolumn indicate items for which no date was provided.\n\n\n                                            74\n\x0cItem ID             System or\n        Component                                       Title                            Date\nNumber               Project\n                                Configuration Management Plan, Concorde, Version\n    29    DEA       Concorde                                                             Jul 2004\n                                1.0\n    30    DEA       Concorde    Contingency Plan, Web Architecture, Version 2.0         Mar 2006\n                                Contingency Plan, Web Architecture, Version 2.0\n    31    DEA       Concorde                                                            Mar 2006\n                                (Signature Pages)\n                                Cost/Benefit Analysis Report, IMPACT, BPR Final\n    32    DEA       Concorde                                                            Apr 2000\n                                Version\n    35    DEA       Concorde    Initial Privacy Impact Assessment , Concorde\n                                OCIO: Project Dashboard Project Managers\n    38    DEA       Concorde                                                            Aug 2005\n                                Worksheet, Concorde\n\n    39    DEA       Concorde    OMB Exhibit 300 for BY 2007                             Sep 2005\n\n                                Operational Test for Impact on Security (OTIS) Report\n    40    DEA       Concorde                                                             Jul 2002\n                                of the Pilot Implementation, IMPACT\n    41    DEA       Concorde    Project Deployment Plan, Concorde, Version 1.0          Sep 2004\n                                Project Management (PMP), IMPACT Fiscal Year\n    42    DEA       Concorde                                                            Sep 2004\n                                2004, Version 2.1\n                                Project Test Plan (PTP), IMPACT, Release 2.0,\n    44    DEA       Concorde                                                            Feb 2005\n                                Version 1.0\n    46    DEA       Concorde    Risk Management Plan, Concorde, Version 1.0             Feb 2005\n                                Risk Inventory & Assessment, Section I.F., OMB\n    47    DEA       Concorde                                                            Mar 2005\n                                Exhibit 300\n    48    DEA       Concorde    Original Baseline, Section I.H.2, OMB Exhibit 300\n                                Statement of Work/Acquisition Plan, Concorde,\n    49    DEA       Concorde                                                            Nov 2002\n                                Version 1.0\n                                System Security Authorization Agreement (SSAA),\n    50    DEA       Concorde                                                            Mar 2002\n                                Appendix E, Web Architecture\n                                Training Program, PMP Concorde, FY 2006, Version\n    51    DEA       Concorde                                                            Oct 2005\n                                1.0\n                                Acceptance Test Plan, Public Key Infrastructure\n    52    DEA        E-Com                                                              Jan 2005\n                                Analysis, Diversion PKI, CSOS\n                                Configuration Management Plan, DEA Diversion\n    53    DEA        E-Com                                                              Feb 2006\n                                Control E-Commerce System, Version 1.0\n                                Contingency Plan, DEA Diversion Control E-\n    54    DEA        E-Com                                                              Nov 2003\n                                Commerce PKI System (EPCS/CSOS), Version 1.0\n                                Contingency Plan, DEA Diversion E-Commerce\n    55    DEA        E-Com                                                              May 2005\n                                System Security Plan, Appendix L, Version 1.1\n                                Detailed Privacy Impact Assessment, Attachment:\n    56    DEA        E-Com                                                              Sep 2005\n                                DEA CSOS Privacy Policy, Section IV\n                                Diversion Metrics Implementation Report, DEA\n    57    DEA        E-Com                                                              Jan 2006\n                                Diversion Control, E-Commerce System, Version 1.0\n\n\n\n                                          75\n\x0cItem ID             System or\n        Component                                      Title                           Date\nNumber               Project\n                                Economic Impact Analysis of the Electronic Orders\n    58    DEA        E-Com                                                            Mar 2005\n                                Rule\n                                Facilitated Risk Assessment Process, DEA Diversion\n    60    DEA        E-Com      Control E-Commerce PKI, SSAA, Appendix G,             Dec 2003\n                                Version 1.0\n                                Initial Economic Impact Analysis of the Proposed\n    61    DEA        E-Com                                                            Mar 2005\n                                Electronic Orders Rule\n    64    DEA        E-Com      OMB Exhibit 300 for BY 2007, Final CSOS               Sep 2005\n                                Operational and Technical Architecture, Public Key\n    65    DEA        E-Com      Infrastructure Analysis, DEA Diversion Control E-     Jun 2003\n                                Commerce PKI\n                                Process and Product Quality Assurance, DEA\n    67    DEA        E-Com                                                            May 2005\n                                Diversion Control E-Commerce System, Version 1.0\n                                Program Management Plan, DEA Diversion Control E-\n    68    DEA        E-Com                                                            Nov 2004\n                                Commerce PKI, Version 3.1\n    70    DEA        E-Com      Project Plans, CSOS FY05, Undated\n    71    DEA        E-Com      Project Plans, CSOS FY06, Undated\n                                Risk Management Plan, DEA Diversion Control, E-\n    72    DEA        E-Com                                                            Oct 2005\n                                Commerce System, Version 1.0\n                                System Security Authorization Agreement (SSAA),\n    73    DEA        E-Com                                                            Mar 2004\n                                Appendix F, CSOS and EPCS PKI\n    74    DEA        E-Com      System Security Plan, CSOS, Version 1.0               Jun 2005\n    75    DEA        E-Com      Test Plan and Reporting Procedures, CSOS/ EPCS        Dec 2001\n                                Training Plan, Public Key Infrastructure Analysis,\n    76    DEA        E-Com                                                            Aug 2002\n                                DEA Diversion Control E-Commerce PKI\n    77    DEA         EPIC      OMB Exhibit 300 for BY 2007                           Sep 2005\n                                Independent Verification and Validation (IV&V)\n    79    DEA        M204       Software Testing Procedure for Mainframe              Jun 2004\n                                Environment, Version 2.0\n    80    DEA        M204       OMB Exhibit 300 for BY 2007                            Jul 2005\n                                Project Level Configuration Management Plan, Events\n    81    DEA        M204                                                             Jun 2004\n                                Activity Subsystem (EVENTS), Version 1.0\n                                Project Management Plan (PMP), Events Activity\n    82    DEA        M204       Subsystem (EVENTS), Calendar Year 2004, Version       Jun 2004\n                                1.0\n                                Quality Management Plan (QMP), Office of\n    83    DEA       Concorde                                                          Sep 2005\n                                Information Systems (SI), Version 4.1\n                                Quality Management Plan (QMP), Office of\n    83    DEA         EPIC                                                            Sep 2005\n                                Information Systems (SI), Version 4.1\n                                Quality Management Plan (QMP), Office of\n    83    DEA        M204                                                             Sep 2005\n                                Information Systems (SI), Version 4.1\n\n\n\n                                          76\n\x0cItem ID             System or\n        Component                                       Title                             Date\nNumber               Project\n                                Quality Management Plan (QMP), Office of\n    83    DEA        Merlin                                                              Sep 2005\n                                Information Systems (SI), Version 4.1\n                                Quality Management Plan (QMP), Office of\n    83   ODAG         OFC                                                                Sep 2005\n                                Information Systems (SI), Version 4.1\n                                Systems Security Authorization Agreement (SSAA),\n    85    DEA        M204                                                                Nov 2004\n                                Model 204 Corporate Systems\n                                Acquisition Plan UFMS Integration and\n    86    JMD        UFMS                                                                 Jun 2005\n                                Implementation Services, (Draft)\n    87    JMD        UFMS       Acquisition Strategy Paper, DOJ UFMS                      Jun 2002\n    88    JMD        UFMS       Configuration Management Plan, Version 1.0               Aug 2005\n    89    JMD        UFMS       Configuration Management Plan, Version 2.0                Jun 2006\n    90    JMD        UFMS       Cost Benefit Analysis, DOJ UFMS Project                  May 2003\n    91    JMD        UFMS       Cost Benefit Analysis, Draft                             Mar 2004\n    92    JMD        UFMS       Data Conversion Strategy, Version 1.0                      Jul 2006\n                                DOJ Program Office Charter and Program\n    93    JMD        UFMS                                                                Sep 2004\n                                Management Plan, Version 2.0\n                                Implementation and Integration - Project Management\n    94    JMD        UFMS                                                                 Jun 2006\n                                Plan, Version 1.0\n                                Integration and Implementation - Quality Control Plan,\n    95    JMD        UFMS                                                                 Jul 2006\n                                Version 1.0\n                                Integration and Implementation - Systems Engineering\n    96    JMD        UFMS                                                                 Jul 2006\n                                Plan\n                                Integration and Implementation Test and Evaluation\n    97    JMD        UFMS                                                                 Jul 2006\n                                Master Plan\n    99    JMD        UFMS       OMB Exhibit 300 for BY 2007                              Dec 2005\n   100    JMD        UFMS       POAM Report, UFMS                                        Dec 2005\n   101    JMD        UFMS       Risk and Issue Management Plan, Version 2.0              Sep 2004\n   103    JMD        UFMS       Security Management Plan (UFMS), Version 1.0             Jan 2006\n   105    JMD        UFMS       System Security Plan (SSP) for DOJ UFMS                  Dec 2005\n   106    JMD        UFMS       System Implementation Plan, Version 1.0                   Jul 2006\n   109    JMD        UFMS       Training Strategy, Version 1.0                            Jul 2006\n                                Vulnerability/ Countermeasures and Threat Pairing,\n   110    JMD        UFMS                                                                Dec 2005\n                                UFMS\n                                Alternatives/Cost Benefit Analysis Report for\n   111    EOIR       eWorld                                                              Mar 2005\n                                Alternatives Analysis of eWorld for FY 2005\n   112    EOIR       eWorld     OMB Exhibit 300 for BY 2007                               Jan 2006\n   113    EOIR       eWorld     Residual Risk Report for JCON-II/CASE, EOIR              Nov 2005\n   114    EOIR       eWorld     Risk Management and Areas of Concern                     Mar 2006\n   115    EOIR       eWorld     Vulnerability/Countermeasures and Threat Pairing         Mar 2006\n                                Configuration Management Plan (CMP), FITS, Version\n   116    DEA       Firebird                                                              Jan 2006\n                                1.3\n\n\n                                          77\n\x0cItem ID             System or\n        Component                                       Title                             Date\nNumber               Project\n    117   DEA        Firebird   Enterprise Health and Performance Metrics Review         May 2006\n                                EOS Software Deployment Function Description,\n   118    DEA       Firebird\n                                Version 2.5, not dated\n   120    DEA       Firebird    Firebird Daily Status Report                              Jul 2006\n   121    DEA       Firebird    Firebird Dashboard                                       Apr 2006\n   123    DEA       Firebird    Firebird Extension and Growth Strategy                   Mar 1995\n   124    DEA       Firebird    Firebird Security Overview                               Jun 2006\n                                Program Management Plan, Firebird Documentation\n   128    DEA       Firebird\n                                EOS, Version 1.0 (Draft)\n                                Project Management Plan (PMP), Firebird\n   129    DEA       Firebird                                                             Jan 2006\n                                Infrastructure Technology Services (FITS), Version 3.0\n   130    DEA       Firebird    Quality Assurance Plan, FITS, Version 2.1                Jan 2005\n                                Security Test and Evaluation Plan and Procedures,\n   131    DEA       Firebird                                                              Jul 2004\n                                Appendix E\n   132    DEA       Firebird    SIO Firebird project portfolio                            Jul 2006\n                                SIOM Firebird Sensitive but Unclassified (SBU)\n   133    DEA       Firebird\n                                Infrastructure O&M Strategic Goals & Tactical Plan\n   135    DEA       Firebird    Statement of Work for Enterprise Wide Management         Sep 2000\n   136    DEA       Firebird    Storage Matrix/SRA\n                                Test Matrix, Desktop and Server Management\n   137    DEA       Firebird\n                                Evaluation 2005\n   138    DEA       Firebird    Weekly Status Report, Enterprise Operations Services     Jun 2006\n                                Windows 2003 (W2K3) Implementation Plan, FITS\n   139    DEA       Firebird                                                             Jun 2006\n                                MDE, Version 1.2\n                                Windows 2003 Active Directory Security Groups and\n   140    DEA       Firebird                                                             Jun 2006\n                                Group Policy, FITS, Version 1.4\n                                Windows Server 2003 Infrastructure Disaster Recovery\n   141    DEA       Firebird                                                             Jun 2006\n                                Document, FITS, Version 2.1\n   142    JMD         CITP      Acquisition Plan, CITP, Version 1.0                      Jan 2006\n                                Test Cases for the Enterprise Security Operations\n   143    JMD         CITP                                                               Sep 2004\n                                Center (ESOC)\n                                Computer Security Awareness and Training (C/SAT)\n   145    JMD         CITP                                                               Dec 2003\n                                Plan, JCON-S Enterprise System, Version 2.1\n                                Published Documents, Configuration Management\n   146    JMD         CITP                                                               May 2004\n                                Plan, JCON-S, Version 1.0\n                                Configuration Management Process, JCON-S,\n   147    JMD         CITP                                                               Dec 2003\n                                Appendix V, Version 1.1\n   148    JMD         CITP      Contingency Plan, JWICS Network, Appendix M\n   149    JMD         CITP      Contingency Plan, JCON-S, Appendix L                     Feb 2004\n   150    JMD         CITP      Data Migration, ADNET to JCON-S\n   151    JMD         CITP      Sample JSIT Deployment Plan\n\n\n                                          78\n\x0cItem ID             System or\n        Component                                      Title                            Date\nNumber               Project\n    152   JMD         CITP      Design Methodology, CITP\n    153   JMD         CITP      Engagement Security Approach, JCON-S\n                                Enterprise Proof-of-Concept Functional Requirements,\n   154    JMD         CITP                                                             Dec 2003\n                                JSIT, Version 1.1\n   155    JMD         CITP      Enterprise Proof-of-Concept Project Schedule\n   157    JMD         CITP      Final Classified Networks Program E-Survey Findings    Jun 2003\n                                Fiscal Year 2005 Information Technology Concept\n   158    JMD         CITP\n                                Paper\n                                Hardware and Software Vendor Maintenance, JCON-S,\n   159    JMD         CITP                                                             Feb 2004\n                                (Draft)\n   160    JMD         CITP      Host Vulnerability Summary Report, Appendix G          Oct 2003\n   161    JMD         CITP      Initial Privacy Impact Assessment, JCON-S\n   162    JMD         CITP      Initial Privacy Impact Assessment, JCON-TS\n   168    JMD         CITP      Acceptance Test Plan and Report                        Dec 2003\n                                MOA between JCON and DTO Regarding Operation\n   171    JMD         CITP      and Support of the JCON Classified Infrastructure,     Dec 2003\n                                Version 0.2, Draft\n   173    JMD         CITP      OMB Exhibit 300 for BY 2006\n   175    JMD         CITP      Privacy Threshold Analysis, JCON-S\n   176    JMD         CITP      Privacy Threshold Analysis, JCON-TS\n   177    JMD         CITP      Program Guide, JCON-S, Version 2.1                     May 2005\n   179    JMD         CITP      Project Schedule\n   180    JMD         CITP      Risk Assessment/Risk Matrix, JWICS                     Dec 2003\n   181    JMD         CITP      Risk Management Plan, Enterprise SIPRNET, Draft        Mar 2003\n   182    JMD         CITP      Risk Management Plan, JIST, Version 1.0, Draft          Jul 2006\n   183    JMD         CITP      Security Requirements Extract, JCON-TS\n                                Security Requirements Traceability Matrix, JWICS\n   184    JMD         CITP                                                             Dec 2003\n                                Network, Appendix F, Software Version, 1.0.0.2\n                                Security Requirements/Security Requirements\n   185    JMD         CITP                                                             Feb 2004\n                                Traceability Matrix, JCON-S, Appendix D\n                                Security Test and Evaluation Plan, JCON-S, Appendix\n   186    JMD         CITP                                                             Feb 2004\n                                E\n   187    JMD         CITP      Standard Deployment Process (Chart)\n                                System Security Authorization Agreement (SSAA),\n   188    JMD         CITP                                                             Feb 2004\n                                JCON-S\n   189    JMD         CITP      System Security Plan, JWICS Network, JCON-TS           Dec 2003\n                                Task Outline for Security Scans of JCON-S and JCON-\n   190    JMD         CITP                                                             Mar 2004\n                                TS\n   192    JMD         IWN       Data System Functional Tests, JPO-Pilot System         Oct 2004\n   193    JMD         IWN       Network Management                                     Oct 2004\n   194    JMD         IWN       Report Generation Tests                                Oct 2004\n   195    JMD         IWN       Acquisition Plan, IWN JPO                              Aug 2004\n\n                                          79\n\x0cItem ID             System or\n        Component                                       Title                             Date\nNumber               Project\n    196   JMD         IWN       Configuration Management Plan, JPO IWN                   Jun 2004\n    197   JMD         IWN       Contingency Plan, JPO IWN Northwest Zone                 Jun 2005\n    198   JMD         IWN       High Level Design Report\n                                Incident Response Plan, Seattle-Blaine Beta Test\n   199    JMD         IWN                                                                Sep 2004\n                                System\n   201    JMD         IWN       Requirements Document, IWN, (Working Draft)              Jun 2002\n   202    JMD         IWN       Beta Benchmark Assessment, IWN Seattle/Blaine\n                                Organizational Readiness Transition Activities, IWN\n   203    JMD         IWN                                                                Sep 2004\n                                Seattle-Blaine Service Area\n   204    JMD         IWN       Risk Assessment, IWN BETA Test System                    Sep 2004\n   205    JMD         IWN       Master Beta Schedule, JPO                                 Jul 2003\n   206    JMD         IWN       OMB Exhibit 300 for BY 2007                               Jan 2006\n   208    JMD         IWN       Personnel Training for the Integrated Wireless Network   Nov 2004\n   209    JMD         IWN       Program Plan FY 2006, Joint Program Office, Draft        Jun 2005\n   210    JMD         IWN       Quality Assurance Plan, DOJ Wireless Network\n                                Risk Management Plan, DOJ Wireless Management\n   211    JMD         IWN                                                                Jun 2006\n                                Office, Justice Wireless Network\n   212    JMD         IWN       Seattle-Blaine System Acceptance Tests on CD\n   213    JMD         IWN       Security Test and Evaluation Report: Beta Test System    Nov 2004\n   214    JMD         IWN       System Security Plan, Beta Test System                   Nov 2004\n   215    JMD         IWN       Transition Plan                                          Oct 2004\n   216    JMD          PKI      Business Case, DOJ Enterprise PKI, Version 1.0            Jul 2004\n                                Business Case, Insource vs. Outsource, DOJ Enterprise\n   217    JMD         PKI                                                                Apr 2006\n                                PKI\n   218    JMD         PKI       Chain of Custody Processes, DOJ PKI, Version 1.01        Jun 2005\n   219    JMD         PKI       Configuration Guide, DOJ PKI, Draft                      Mar 2005\n                                Configuration Management Plan, DOJ PKI Program\n   220    JMD         PKI                                                                Mar 2005\n                                and Technical Support, Version 1.1, Draft\n   221    JMD         PKI       Department Executive Review Board Presentation           Oct 2005\n   222    JMD         PKI       Deployment Implementation Plan, DOJ PKI, Final           Jun 2005\n                                Earned Value Management, DOJ Enterprise PKI\n   223    JMD         PKI\n                                Infrastructure Service Office\n                                Risk Review HSPD-12, DOJ Enterprise System\n   225    JMD         PKI\n                                Solution, Infrastructure Services Office\n                                IT Contingency Plan, DOJ PKI, Appendix L, Revision\n   226    JMD         PKI                                                                Mar 2006\n                                3\n   227    JMD        JCON       JCON Architecture Study, Final Report                     Jan 1998\n   228    JMD        JCON       JCON Shared Services Model\n   229    JMD        JCON       JCON Strategic Plan: Arguments/Counter Arguments         Aug 2005\n   230    JMD         PKI       Phase 2 Task Order, DOJ Enterprise PKI                   May 2004\n   231    JMD         PKI       Plan of Actions and Milestones (POAM)                     Jul 2006\n\n\n\n                                          80\n\x0cItem ID             System or\n        Component                                       Title                            Date\nNumber               Project\n    232   JMD         PKI       Planning and Design Support, DOJ PKI                    Oct 2002\n    233   JMD         PKI       Position Paper for JUTnet RAS PKI Support               Oct 2005\n    235   JMD         PKI       Privacy Threshold Analysis (questionnaire)\n    236   JMD         PKI       Project Management Plan, DOJ PKI                        Aug 2004\n    238   JMD         PKI       Results of survey, Criminal Division, PKI Pilot\n    239   JMD         PKI       PKI Risk Registry                                       Apr 2006\n                                Risk Management Overview, DOJ Enterprise System\n   240    JMD         PKI\n                                Solution, Infrastructure Services Office\n   242    JMD         PKI       Security Test and Evaluation Plan (Final), DOJ PKI      May 2005\n   243    JMD         PKI       Status Report, DOJ PKI                                   Jun 2006\n   244    JMD         PKI       System Security Plan, DOJ PKI, Revision 2               Mar 2006\n   245    JMD         PKI       Test and Evaluation Master Plan, DOJ PKI, Revision 1    Apr 2005\n   246    JMD         PKI       Test Report, DOJ PKI, Draft                              Jun 2005\n   247    JMD         PKI       Training Plan, DOJ PKI, Final                           Apr 2005\n   248    JMD        LCMS       Business Concept of Operations, LCMS, Version 1.1       Oct 2005\n   250    JMD        LCMS       Final Market Research Report, LCMS                       Jun 2005\n   252    JMD        LCMS       OMB Exhibit 300 for BY 2007                             Dec 2005\n   253    JMD        LCMS       Project Configuration Management Plan, Version 1.1      Apr 2005\n   254    JMD        LCMS       Project Management Plan, Version 1.2                    Aug 2005\n   255    JMD        LCMS       Project Plan, LCMS (Spreadsheet)                        Apr 2006\n                                Technical Evaluation Report, LCMS Phase 1, Version\n   256    JMD        LCMS                                                               Apr 2006\n                                0.9, Final\n   257    DEA        Merlin     Accreditation Approval DCISS                             Jan 2004\n   258    DEA        Merlin     Approval Request for Accreditation DCISS                Aug 2003\n   259    DEA        Merlin     Contingency Plan for the DEA Merlin Program             Jun 2006\n                                COOP Test Report using VERITAS Replication EXEC\n   260    DEA        Merlin                                                             Mar 2006\n                                3.1\n                                Risk Assessment Report, DEA Classified Infrastructure\n   261    DEA        Merlin                                                             May 2005\n                                Support System\n                                Earned Value Management (EVM) Merlin, Doc #12-\n   262    DEA        Merlin                                                              Jul 2006\n                                35-41-55\n   264    DEA        Merlin     Merlin Dashboard - May                                  Jun 2006\n   265    DEA        Merlin     Merlin Engineering Review                               Apr 2006\n   266    DEA        Merlin     Merlin WBS/Schedule                                     Mar 2006\n   268    DEA        Merlin     Merlin Program Plan, Version 2                          Jun 2006\n   271    DEA        Merlin     OMB Exhibit 300 for BY 2007\n                                System Security Authorization Agreement (SSAA),\n   272    DEA        Merlin                                                             Aug 2003\n                                DCISS\n   274   ODAG         OFC       Acquisition Strategy for BY 2007\n   275   ODAG         OFC       Acquisition Strategy\n   276   ODAG         OFC       Alternative Analysis\n\n\n                                          81\n\x0cItem ID             System or\n        Component                                        Title                            Date\nNumber               Project\n    277  ODAG         OFC       ANSI 748 Compliance Plan                                 Aug 2005\n    278  ODAG         OFC       Assessment of Defects on Hold (Spreadsheet)\n                                Beta Testing Start Criteria and Status, OFC Compass\n   279   ODAG         OFC                                                                Apr 2006\n                                (Spreadsheet)\n   281   ODAG         OFC       Compass Defect Summary Report                            Jun 2006\n   282   ODAG         OFC       Compass Defect Summary Report (Spreadsheet)              Jun 2006\n   284   ODAG         OFC       Compass Functional Testing Work Plan (Spreadsheet)       Jan 2006\n   287   ODAG         OFC       Compass System \xe2\x80\x9cGo-Live\xe2\x80\x9d Timeline\n   288   ODAG         OFC       Compass Testing Timeline\n   289   ODAG         OFC       Compass Training Plan, OFC, Version 1.0                  Sep 2005\n   290   ODAG         OFC       Compass User Acceptance Test Summary Status              May 2006\n   292   ODAG         OFC       Concept of Operations, OCDETF Fusion Center              Mar 2004\n   294   ODAG         OFC       Cost Benefit Analysis, OFC System                        Dec 2004\n   297   ODAG         OFC       Defect Recommendations (Spreadsheet)\n   298   ODAG         OFC       Dept Executive Review Board Presentation, OFC            Nov 2005\n                                Direct Funding for the Development of the OFC\n   300   ODAG         OFC\n                                (Spreadsheet)\n   301   ODAG         OFC       DOJ/OCIO Executive Review, OFC                            Jan 2005\n   303   ODAG         OFC       Functional Testing Process Flow\n                                Fusion Center Overview and Drug Intelligence\n   304   ODAG         OFC\n                                Analysis Report, Drug Intelligence Fusion Center\n   305   ODAG         OFC       IT Contingency Plan, IRSS, Version 2.2                   Mar 2005\n   306   ODAG         OFC       Justification for Other than Full and Open Competition   May 2004\n   308   ODAG         OFC       List of Milestones and Deliverables                      Oct 2005\n   309   ODAG         OFC       OCDETF Fusion Center EVM Report (Spreadsheet)            Mar 2006\n   310   ODAG         OFC       OCDETF Fusion Center Review Meeting Agenda                Jun 2006\n   311   ODAG         OFC       OFC Compass Release 1.0 Capability Assessment            Apr 2006\n                                OFC Master Schedule \xe2\x80\x93 No Ops \xe2\x80\x93 Merrifield\n   313   ODAG         OFC\n                                (Spreadsheets)\n                                OFC Master Schedule \xe2\x80\x93 No Ops \xe2\x80\x93 NS IOC\n   314   ODAG         OFC\n                                (Spreadsheets)\n   316   ODAG         OFC       OMB Exhibit 300 for BY 2006                              Sep 2004\n   318   ODAG         OFC       OMB Exhibit 300 for BY 2007\n   320   ODAG         OFC       Privacy Impact Assessment, OFC (Draft)                   Aug 2004\n   321   ODAG         OFC       Project Management Plan, OFC Deployment                  Sep 2005\n   322   ODAG         OFC       Project Plan, Software Version 1.0, OFC                  May 2006\n   323   ODAG         OFC       Project Schedule, WBS CCB CR41(Spreadsheets)\n   324   ODAG         OFC       Requirements Traceability Table                           Jan 2006\n                                Requirements Traceability Table, Script Case Mapping\n   325   ODAG         OFC                                                                 Jan 2006\n                                to Requirements\n   326   ODAG         OFC       Residual Risk Report, OFC                                May 2006\n\n\n                                          82\n\x0cItem ID             System or\n        Component                                      Title                          Date\nNumber               Project\n    327  ODAG         OFC       Risk Adjusted Cost Formulation\n    328  ODAG         OFC       Risk and Issue Management Master Plan                Jun 2005\n    330  ODAG         OFC       Risk Assessment Results for BY 2006\n    331  ODAG         OFC       Risk Assessment Results for BY 2007\n    334  ODAG         OFC       System Security Plan, OFC Compass\n    335  ODAG         OFC       System Test Plan, OFC, Version 1.2                    Jan 2006\n    336  ODAG         OFC       Testing Status Summary                               Sep 2006\n    338  ODAG         OFC       Validation Test Script Forms                         May 2006\n    340   OJP        JGMS       System Security Plan for Grants Management System    Feb 2006\n    341   OJP        JGMS       Configuration Management Plan, OJP                   Nov 2004\n    342   OJP        JGMS       Continuity of Operations Plan, OJP                    Jul 2005\n    343   OJP        JGMS       Detailed Design Review GMS/Grant Adjustments          Jan 2006\n                                Detailed Design Review GMS/Grant Adjustments,\n   344    OJP        JGMS                                                             Jan 2006\n                                Phase 1, Installment 2\n                                Functional Requirements Document, Grant\n   345    OJP        JGMS                                                            Nov 2005\n                                Adjustments, OJP, Version 1.1\n   346    OJP        JGMS       GMS Grant Adjustment Notice Module Test Cases        Oct 2005\n   347    OJP        JGMS       GAN Module Test Plan, OJP\n   348    OJP        JGMS       Grant Adjustment Notice Module Test Plan, Phase 2\n                                GAN Module, Software Requirements Specification\n   349    OJP        JGMS                                                            May 2006\n                                Use Cases, Draft, Version 1.5\n   350    OJP        JGMS       GAN Phase 1 \xe2\x80\x93 STR                                    Mar 2006\n   351    OJP        JGMS       GAN Phase 2 \xe2\x80\x93 STR                                    May 2006\n   352    OJP        JGMS       GAN Schedule                                         Sep 2005\n   353    OJP        JGMS       GAN Schedule                                         Dec 2005\n   354    OJP        JGMS       GAN Schedule \xe2\x80\x93 EVM                                   Apr 2006\n   355    OJP        JGMS       GAN Schedule \xe2\x80\x93 EVM                                   Feb 2006\n   356    OJP        JGMS       GAN Schedule \xe2\x80\x93 EVM                                   May 2006\n   357    OJP        JGMS       GAN Test Problem Report (Spreadsheet)\n   358    OJP        JGMS       GMS EVM (Spreadsheet)                                Apr 2006\n   359    OJP        JGMS       GMS GAN Training Plan, (Draft)                       May 2005\n                                Grant Adjustment Notice (GAN) Module Project\n   360    OJP        JGMS                                                            Sep 2005\n                                Management Plan, Draft\n   363    OJP        JGMS       OJP Change Control Procedures, Version 2.0           Feb 2006\n   364    OJP        JGMS       OMB Exhibit 300 for BY 2007\n   366    OJP        JGMS       Preliminary Design Review GMS/GAN Module             Oct 2005\n                                Risk Management Plan, Version 1.1 (Spreadsheet),\n   368    OJP        JGMS                                                            Oct 2006\n                                GAN\n                                Civil Rights Division Lessons Learned Report, JCON\n   371    JMD        JCON                                                            May 2006\n                                IIA Implementation Phase\n\n\n\n\n                                          83\n\x0cItem ID             System or\n        Component                                       Title                            Date\nNumber               Project\n                                Configuration Management Plan, JCON PMO, Version\n   372    JMD        JCON                                                               Mar 2006\n                                1.2\n   373    JMD        JCON       Contingency Plan, JCON COAR, Version 1.8                Mar 2006\n   374    JMD        JCON       Contract Administration, JCON\n   375    JMD        JCON       Department Executive Review Board Presentation          Feb 2005\n                                Design and Development Phase Closeout Checklist,\n   376    JMD        JCON\n                                JCON SDLC, Version 1.2\n                                Implementation Phase Closeout Checklist, Version 1.1,\n   377    JMD        JCON\n                                JCON SDLC\n                                Implementation Phase Closeout Checklist, Version 1.1,\n   378    JMD        JCON\n                                JCON SDLC, (Blank Form)\n   379    JMD        JCON       Implementation Plan, EOIR, Final Version 2.7            May 2006\n   380    JMD        JCON       Initial Privacy Impact Assessment\n                                JCON Implementation Plan Template and Guidance,\n   382    JMD        JCON                                                               Mar 2005\n                                JCON PMO SDLC, Version 2.0\n   384    JMD        JCON       JCON SDLC Guide, JCON PMO SDLC, Version 2.0             Mar 2005\n                                Lessons Learned Report for the JCON Civil\n   385    JMD        JCON                                                               May 2006\n                                Deployment Implementation Phase\n                                Lessons Learned Report Template and Guidance,\n   386    JMD        JCON                                                                Jan 2005\n                                JCON PMP SDLC, Version 1.0\n   387    JMD        JCON       OMB Exhibit 300 for BY 2007                             Dec 2005\n                                Planning Phase Closeout Checklist, JCON SDLC,\n   388    JMD        JCON\n                                Version 1.4\n   390    JMD        JCON       Privacy Threshold Analysis\n                                Project Management Plan Template, JCON PMO\n   391    JMD        JCON                                                               May 2005\n                                SDLC, Version 2.0\n                                Project Management Plan, Civil Rights Division, JCON\n   392    JMD        JCON                                                               Dec 2005\n                                Implementation\n                                Project Management Plan, EOUSA JCON IIA\n   393    JMD        JCON                                                               May 2005\n                                Deployment\n   394    JMD        JCON       Project Management Plan, JCON Modernization             Jun 2005\n                                Requirements Analysis Phase Closeout Checklist,\n   395    JMD        JCON\n                                JCON SDLC, Version 1.2\n                                Residual Risk Report for JCON Common Office\n   398    JMD        JCON                                                               May 2006\n                                Automation Resources\n   399    JMD        JCON       Risk Management Areas of Concern                        May 2006\n   400    JMD        JCON       Risk Management Plan, JCON PMO, Version 2                Jul 2003\n   401    JMD        JCON       Security Test and Evaluation, JCON COAR                 May 2006\n   402    JMD        JCON       Summary of Findings, Email Users Survey                 Dec 2005\n                                System Analysis Report JCON Civil Rights Division\n   403    JMD        JCON                                                               Apr 2006\n                                Design, Version 1 \xe2\x80\x93 Final\n\n\n                                          84\n\x0cItem ID             System or\n        Component                                       Title                             Date\nNumber               Project\n    404   JMD        JCON       System Security Plan, JCON-COAR                          May 2006\n    405   JMD        JCON       System Test Plan for DOJ EOIR, Version 1.0, Draft        Aug 2005\n                                System Test Plan Template, JCON PMO SDLC,\n   406    JMD        JCON                                                                Mar 2005\n                                Version 1.0\n   407    JMD        JCON       Systems Engineering Process, JCON PMO, Version 1.0       Jun 2006\n                                Vulnerability/Countermeasures and Threat Pairing,\n   408    JMD        JCON                                                                May 2006\n                                JMD, JCON-COAR\n   409    BOP        ITS-II     Security Test and Evaluation Worksheets\n   412    BOP        ITS-II     Program Plan                                             May 2005\n   413    BOP        ITS-II     Plan of Action and Milestones\n   414    BOP        ITS-II     Contingency Plan                                         Nov 2004\n   415    BOP        ITS-II     Engineering Management Plan                              Apr 2005\n   416    BOP        ITS-II     Request for Comment\n   417    DEA         EPIC      Risk Assessment Report, EPIC                             May 2005\n                                OCIO: Project Dashboard Project Managers\n   419    DEA         EPIC\n                                Worksheet, EPIC\n   420    DEA         EPIC      System Security Plan, ESS                                Aug 2005\n                                Action Plan, Independent Evaluation Pursuant to the\n   421    DEA         EPIC      Federal Information Security Management Act FY\n                                2005, DEA ESS\n   422    DEA         EPIC      Contingency Plan, ESS                                    Mar 2006\n   423    DEA         EPIC      Training Plan, EPIC Open Connectivity Project            Jun 2004\n                                System Engineering Management Plan, EPIC Open\n   424    DEA         EPIC                                                               Jun 2004\n                                Connectivity Project\n                                Configuration Control Board (CCB) Charter and\n   425    DEA         EPIC      Request for Information Technology Services (RITS)       Feb 2004\n                                Policy\n                                Verification and Validation Plan, EPIC Open\n   426    DEA         EPIC                                                               Apr 2004\n                                Connectivity Project\n   427    DEA         EPIC      NDSS Project, Background: NIBRS/UCR Data, CDX            May 2003\n   428    DEA         EPIC      General Counterdrug Intelligence Plan                    Feb 2000\n                                Risk Management Plan, Open Connectivity Project,\n   429    DEA         EPIC                                                               Aug 2004\n                                DEA EPIC, Revised\n   430    DEA         EPIC      Feasibility Statement, EPIC Open Connectivity Project,   Apr 2006\n                                CONOPS, Connection of the ESS to the EIS, EPIC,\n   431    DEA         EPIC                                                               Jun 2004\n                                Version 1.1\n   432    DEA         EPIC      National Drug Seizure System Discussion Paper, CDX       Feb 2004\n   434    FBI       CARTSAN     CARTSAN Review Network Installation Plan                 Jun 2005\n   435    FBI       CARTSAN     Certification and Accreditation System Registration      Jun 2005\n   436    FBI       CARTSAN     Certification Test Report, CARTSAN                       Aug 2005\n   437    FBI       CARTSAN     Concept of Operations\n\n\n\n                                          85\n\x0cItem ID             System or\n        Component                                      Title                           Date\nNumber               Project\n    438   FBI       CARTSAN     Configuration Management Plan, Version 0.1 (Draft)\n                                Digital Evidence Laboratory Quality Assurance\n   439     FBI      CARTSAN                                                           Apr 2006\n                                Manual Supplement, CART\n   441     FBI      CARTSAN     Earned Value Management Worksheet                      Jul 2005\n                                Guidance on Use of the CAIR Program and Integration\n   442     FBI      CARTSAN                                                           Aug 2005\n                                with CART Storage Platforms\n   443     FBI      CARTSAN     Investment Management/Project Review Board            Aug 2005\n   444     FBI      CARTSAN     Mission Needs Statement                               Nov 2005\n   446     FBI      CARTSAN     Privacy Impact Assessment, CARTSAN, (Draft)\n   447     FBI      CARTSAN     Risk Management Plan                                   Jul 2005\n   448     FBI      CARTSAN     Risk Register                                          Jul 2005\n   449     FBI      CARTSAN     System Security Plan, CARTSAN                         Aug 2005\n   450     FBI      CARTSAN     Top Level Tasks, CARTSAN Phase One                     Jul 2006\n                                Concept of Operations, DHS/US-VISIT and DOJ/FBI\n   454     FBI       BRIDG                                                            Apr 2006\n                                Interoperability, iDSM, Final\n                                Full Business Case, IDENT-IAFIS Interoperability,\n   455     FBI       BRIDG                                                            Jan 2006\n                                iDSM Project\n   456     FBI       BRIDG      iDSM, WBS, CJIS Bridge                                 Jul 2006\n   457     FBI       BRIDG      Mission Needs Statement, iDSM, Version 1.2            Jan 2006\n   458     FBI       BRIDG      Open Risks Worksheet, iDSM                            Jun 2006\n                                Privacy Impact Assessment for the DOJ/FBI-DHS\n   459     FBI       BRIDG\n                                Interim Data Sharing Model (iDSM)\n   460     FBI       BRIDG      Project Health Assessment, iDSM, Gate 1 & 2           Feb 2006\n                                Project Health Assessment, iDSM, Gate 3 (Final\n   461     FBI       BRIDG                                                            Jun 2006\n                                Design)\n   462     FBI       BRIDG      Risk Management Plan, iDSM Project                    Jan 2006\n   463     FBI       CODIS      Acquisition Strategy Review, CODIS 6.0                Oct 2005\n   464     FBI       CODIS      CODIS Accreditation Decision                          Apr 2005\n                                Combined DNA Index System Mission Needs\n   465     FBI       CODIS                                                            Nov 2005\n                                Statement\n   466     FBI       CODIS      CODIS Schedule\n   467     FBI       CODIS      FY 2008 Full Business Case                            Dec 2005\n                                Independent Assessment Findings and\n   468     FBI       CODIS                                                            Jun 2005\n                                Recommendations, CODIS, Final\n   469     FBI       CODIS      Description of Current CODIS Architecture\n   470     FBI       CODIS      Plans of Actions and Milestones, CODIS                Feb 2005\n                                Privacy Impact Assessment, National DNA Index\n   471     FBI       CODIS                                                            Oct 2004\n                                System (NDIS) Database\n                                Product Management Plan, CODIS Bridge Contract\n   472     FBI       CODIS                                                            Sep 2005\n                                Extension\n   473     FBI       CODIS      Risk Management Plan, CODIS, Draft Version 01         May 2006\n   474     FBI       CODIS      Risk Register, CODIS, Open Risks Worksheet            Feb 2006\n\n                                          86\n\x0cItem ID             System or\n        Component                                       Title                             Date\nNumber               Project\n                                Single Acquisition Management Plan for the Combined\n   475     FBI       CODIS                                                               Feb 2006\n                                DNA Index System\n   476     FBI       CODIS      System Security Plan, CODIS                              Jan 2005\n                                Three Part Contingency Plan, CODIS Bridge Contract\n   477     FBI       CODIS                                                               Oct 2005\n                                Extension\n                                Action Plan, Enterprise Servers (Administrative and\n   478     FBI        DCU                                                                 Jul 2004\n                                Investigative Mainframes), Secret (Working Draft)\n                                Approval to Operate for the Investigative Mainframe\n   479     FBI        DCU                                                                May 2006\n                                Application (IMA)\n                                Continuity of Operations Plan, FBI, ITOD, Operations\n   480     FBI        DCU                                                                Jan 2005\n                                Section\n                                Contribution of the Mainframe to the Bureau\'s Mission,\n   481     FBI        DCU                                                                Feb 2006\n                                FBI\n   483     FBI        DCU       Investment Evaluation Form, IT Management                May 2006\n   484     FBI        DCU       ITOD Hardware Review, Executive Dashboard (Draft)        Mar 2006\n   485     FBI        DCU       Mainframe Hardware Test Environment\n   486     FBI        DCU       Mission Needs Statement, Enterprise Backup Project        Jul 2005\n   487     FBI        DCU       OMB Exhibit 300 for BY 2005\n   488     FBI        DCU       OMB Exhibit 300 for BY 2007                               Jul 2005\n   489     FBI        DCU       OMB Exhibit 300 for BY 2008                               Jul 2005\n   490     FBI        DCU       Project Plan, Global Mirroring Project                   Dec 2005\n                                Project Summary Report, ITOD Mainframe System\n   491     FBI        DCU\n                                Upgrade\n                                System Security Plan, FBI, Enterprise Servers, Version\n   492     FBI        DCU                                                                Oct 2004\n                                1.2\n                                Benefits & Cost Analysis Project Synopsis, DCS-5000\n   493     FBI        DCS                                                                Feb 2006\n                                Regional Architecture, Step 4 and 5\n                                Benefits & Cost Analysis Project, DCS-5000 Regional\n   494     FBI        DCS                                                                Nov 2005\n                                Architecture, Step 2 and 3\n                                Benefits & Cost Analysis Project, DCS-5000 Regional\n   495     FBI        DCS                                                                Jan 2006\n                                Architecture, Step 4 and 5\n                                Configuration Management Plan, DCS-6000, Appendix\n   496     FBI        DCS                                                                May 2006\n                                O\n                                DCS-5000 Accreditation Decision - Grant ATO for\n   497     FBI        DCS                                                                Feb 2006\n                                DCS-5000, IT System Security Risk Analysis\n   498     FBI        DCS       DCS-5000 Schedule\n                                DCS-6000 - Grant ATO with Conditions, IT Systems\n   499     FBI        DCS                                                                May 2006\n                                Security Risk Analyses\n                                DCS-6000 Accreditation Decision - Security\n   500     FBI        DCS       Characteristic and Tier Level Designation for DCS-       May 2006\n                                6000, IT Systems Security Risk Analyses\n   501     FBI        DCS       DCS-6000 Schedule, Appendix B (Table)\n\n                                          87\n\x0cItem ID             System or\n        Component                                        Title                              Date\nNumber               Project\n    509   FBI         DCS       Phase Review Report, Phase 1/2, Project Digital Storm,     Aug 1998\n                                Privacy Impact Assessment, SPIDERNET and\n   510     FBI        DCS                                                                  Aug 2001\n                                DIGITAL STORM\n                                Privacy Impact Assessment, Upgrade from\n   511     FBI        DCS                                                                  Dec 2005\n                                SPIDERNET to Red Wolf\n                                Project Closeout Report, Digital Collection-04, Version\n   514     FBI        DCS                                                                   Jul 2005\n                                1.1\n                                Project Plan, Digital Collection System, Digital\n   516     FBI        DCS                                                                  Nov 2004\n                                Collection -05\n   517     FBI        DCS       Project Plan, Digital Collection, Digital Collection -03   Aug 2003\n   518     FBI        DCS       Project Plan, Digital Collection, Digital Collection -04    Jan 2004\n   519     FBI        DCS       Project Plan, Digital Storm                                Jun 1998\n   520     FBI        DCS       Project Status Report, DCS-5000                            Jun 2006\n                                Risk Assessment and Management Plan (RAMP),\n   521     FBI        DCS       DCS-6000, Systems Security Plan, Appendix L,               May 2006\n                                Version 2.0\n                                Security Concept of Operations, DCS-6000, Appendix\n   522     FBI        DCS                                                                  May 2006\n                                S, Version 1.0\n   523     FBI        DCS       Statement of Need, Digital Delight                         Jan 1997\n   524     FBI        DCS       System Security Plan, DCS 3000, Version 2.0                Apr 2006\n   525     FBI        DCS       System Security Plan, DCS-5000, Revision 3.5               Dec 2005\n                                System Security Plan, DCS6000 Voice Box III,\n   526     FBI        DCS                                                                  May 2006\n                                Version 3.1\n   527     FBI        DCS       Test Plan, Digital Storm, Version 1.0                      Feb 1999\n                                Work Breakdown Structure (WBS) for Project Digital\n   528     FBI        DCS                                                                  Mar 1998\n                                Storm, Version 1.0\n   529     FBI       EDMS        Privacy Impact Assessment (PIA), Draft                    Sep 2005\n                                Certification Decision, Recommendation for ATO for\n   530     FBI       EDMS                                                                  Jun 2004\n                                ITD/EIMO/EDMS\n   531     FBI       EDMS       Certification Test Plan                                    Apr 2004\n   532     FBI       EDMS       Configuration Management Plan, Revision b                  Sep 2005\n   533     FBI       EDMS       Continuity of Operations Plan                              Apr 2004\n   535     FBI       EDMS       Department Investment Review Board\n                                EDMS Briefing for the FBI Science and Technology\n   536     FBI       EDMS                                                                   Jul 2005\n                                Advisory Board\n   537     FBI       EDMS       Installation Plan, EDMS\n                                EDMS, ELSUR Data Management System\n   538     FBI       EDMS\n                                Background/History\n   540     FBI       EDMS       OMB Exhibit 300 for BY 2007                                Sep 2005\n                                Independent Government Cost Estimate, Next\n   542     FBI       EDMS       Generation Electronic Surveillance, Data Management        Nov 2005\n                                System\n\n\n                                           88\n\x0cItem ID             System or\n        Component                                     Title                           Date\nNumber               Project\n    543   FBI        EDMS       Monthly Project Status Reporting                     Dec 2005\n                                Project Plan, Project EDMS (ELSUR Data\n   544     FBI       EDMS                                                            Feb 2004\n                                Management System)\n   545     FBI       EDMS       Master Schedule, EDMS\n   546     FBI       EDMS       Project Status Report, ELSUR EDMS                    Apr 2006\n   547     FBI       EDMS       Risk Management Plan, EDMS                           Aug 2000\n   548     FBI       EDMS       Risk Management Plan, EDMS, version 3.0\n   549     FBI       EDMS       Proposed Risk Worksheets\n                                Statement of Need, Phase 1, Information Management\n   550     FBI       EDMS                                                            Jan 1998\n                                System (IMS)\n   551     FBI       EDMS       Strategic Training Plan                              Jun 2005\n   552     FBI       EDMS       System Concept of Operations, EDMS, version 1.2      Feb 2004\n                                System Security Plan, EDMS, version EDMS SSP Rev.\n   553     FBI       EDMS                                                            Apr 2004\n                                2.0\n                                Target EA and Transition, EDMS Enterprise\n   554     FBI       EDMS                                                            Jan 2005\n                                Architecture, Executive Summary, V1.0\n   555     FBI       EDMS       Test and Evaluation Master Plan, EDMS, Revision A    Aug 2005\n                                Concept of Operations (CONOPS), Guardian 2.0,\n   558     FBI       FTTTF                                                           Mar 2006\n                                Version 1.0\n   559     FBI       FTTTF      Concept of Operations, DEEP, Revision 0.3            Sep 2004\n                                Critical Performance Measures, Guardian 2, Version\n   560     FBI       FTTTF                                                           Apr 2006\n                                1.0\n   561     FBI       FTTTF      Installation Plan, Guardian 2, Draft Version 5.0     Apr 2006\n   562     FBI       FTTTF      Mission Need Statement, Guardian 2, Version C        Jan 2006\n                                Project Charter, CTD Data Extraction and Extension\n   563     FBI       FTTTF                                                            Jul 2004\n                                Project (DEEP)\n                                Project Management Plan (Software Development\n   564     FBI       FTTTF                                                           Mar 2006\n                                Plan), Guardian 2.0, Version 9.0\n   565     FBI       FTTTF      Risk Management Plan, Guardian, Version 1.0          Apr 2006\n   566     FBI       FTTTF      Risk Register Worksheet, Guardian                    Mar 2006\n                                System Engineering Management Plan, Guardian,\n   567     FBI       FTTTF                                                           Mar 2006\n                                Draft Version 11.0\n                                Test and Evaluation Master Plan, Guardian, Version\n   568     FBI       FTTTF                                                           Mar 2006\n                                1.0\n   569     FBI       FTTTF      Test Procedures, DEEP, Release 1.2                   Sep 2005\n   570     FBI       FTTTF      Test Procedures, DEEP, Version 1\n   571     FBI       FTTTF      Test Procedures, Guardian, Version 7.0               Apr 2006\n   573     FBI       IAFIS      Build C Test Report, Volume 1                        Aug 1997\n   574     FBI       IAFIS      Build D Installation Plan                            Nov 1997\n   575     FBI       IAFIS      Build D Test Report, Volume 1                        Dec 1997\n   576     FBI       IAFIS      Build E Installation Plan                            Apr 1998\n\n\n\n                                         89\n\x0cItem ID             System or\n        Component                                      Title                          Date\nNumber               Project\n                                Build E System Integration and Test Plan (SITP),\n   577     FBI       IAFIS                                                            Jan 1998\n                                IAFIS\n   578     FBI       IAFIS      Build E Test Report, Volume 2                        May 1998\n   579     FBI       IAFIS      Build F Installation Plan                            Mar 1998\n   580     FBI       IAFIS      Build F Installation Plan (CWV Draft 3, as Built)     Jun 2000\n   581     FBI       IAFIS      Build F1 Test Report, Volume 1                       May 1999\n                                Configuration Management Plan, Criminal Justice\n   582     FBI       IAFIS                                                           Aug 2002\n                                Information Services Division, Revision1.2\n   583     FBI       IAFIS      Early Build C Installation Plan                      May 1997\n   584     FBI       IAFIS      IAFIS System Acceptance Test Plan, Volume 1          Feb 1999\n   585     FBI       IAFIS      IAFIS System Acceptance Test Report                  Aug 1999\n                                Independent Verification, Validation & Testing\n   586     FBI       IAFIS                                                           Nov 1993\n                                (IVV&T) SOW, CJIS Division\n   587     FBI       IAFIS      ITN Training Plan                                     Jul 1999\n   588     FBI       IAFIS      Operational System Security Plan, AFIS               Jan 1999\n   589     FBI       IAFIS      Quality Assurance Plan, CJIS Division                Mar 2005\n   591     FBI       IAFIS      System Security Plan, IAFIS, Version 2.1             Mar 2006\n                                Systems Engineering Management Plan, Criminal\n   592     FBI       IAFIS                                                            Jul 2005\n                                Justice Information Services Division\n                                Systems Engineering Management Plan, SoSSS,\n   593     FBI       IAFIS                                                           Nov 2005\n                                Revision 2.2 Final\n                                Technical Data Collection Tool, CJIS Division\n   594     FBI       IAFIS\n                                (spreadsheet)\n   595     FBI       IAFIS      Training Plan, AFIS                                  Nov 1998\n   596     FBI       IAFIS      Transition Plan, IAFIS, Second Iteration             Apr 1998\n   597     FBI       IAFIS      Transition Plan, IAFIS, Third Iteration              Oct 1998\n   598     FBI        IATI      CARA WBS\n   599     FBI        IATI      CARA Technical Review Board Briefing                 May 2006\n   600     FBI        IATI      Concept of Operations, FBI IATI Program, CARA        Apr 2005\n                                Concept of Operations, FBI IATI Program, IODM,\n   601     FBI        IATI                                                           Sep 2005\n                                Version 1.0\n                                Configuration Management Plan (CMP), Technology\n   602     FBI        IATI                                                           Nov 2003\n                                Infusion Program (TI), Volume 1, Version 0.5\n                                Earned Value Management Report, IATI Program,\n   604     FBI        IATI                                                           May 2006\n                                Version 1.0\n   605     FBI        IATI      Feasibility Study, IATI Program, CARA, Version 1.0   Mar 2005\n   606     FBI        IATI      IATI Green Book Report                                Jun 2006\n   608     FBI        IATI      Installation Plan, IATI Program, IODM, Version 2.0   May 2006\n   609     FBI        IATI      IODM WBS\n   610     FBI        IATI      IODM, Technical Review Board Briefing                 Jan 2006\n   611     FBI        IATI      Mission Needs Statement, IATI\n\n\n                                          90\n\x0cItem ID             System or\n        Component                                      Title                           Date\nNumber               Project\n    612   FBI         IATI      OMB Exhibit 300 for FY 2008                           Mar 2006\n    613   FBI         IATI      Privacy Impact Assessment, CARA                       Apr 2006\n                                Program Management Plan, Technology Infusion\n   614     FBI        IATI                                                            Nov 2003\n                                Program, Volume I, Version .19\n                                Quality Assurance Plan (QAP), IATI, Volume 1,\n   615     FBI        IATI                                                            Nov 2003\n                                Version .9\n                                Risk Management Plan (RMP), Technology Infusion\n   616     FBI        IATI                                                            Nov 2003\n                                Program, Version .8\n   617     FBI        IATI      Risk Worksheet, CARA                                  May 2006\n   618     FBI        IATI      Risk Worksheet, IODM                                  Mar 2006\n                                Security Attachment to the FBI System Security Plan\n   619     FBI        IATI                                                            May 2006\n                                (SSP), IATI Program, IODM, Version 2.0\n                                System Engineering Master Plan, IATI Program,\n   621     FBI        IATI                                                            May 2004\n                                Version 1.0\n                                System Installation Plan, IATI Program, CARA,\n   622     FBI        IATI                                                            May 2006\n                                Version 3.0\n                                System Security Plan (SSP), IATI Program, CARA,\n   623     FBI        IATI                                                            May 2006\n                                Version 6.0\n                                System Security Plan (SSP), IATI, SSIAC, SAE,\n   624     FBI        IATI                                                            Mar 2006\n                                Version 7.0\n   625     FBI        IATI      System Test Plan, IATI Program, CARA, Version 3.0      Jan 2006\n   626     FBI        IATI      Test and Evaluation Master Plan (TEMP), IATI, Draft   Apr 2004\n   627     FBI        IATI      Test Plan, IATI Program, IODM, Version 3.0            May 2006\n   628     FBI        IATI      Training Plan, IATI Program, CARA, Version 2.0        Apr 2006\n   629     FBI        IATI      Transition Plan, IATI Program, CARA, Version1.0       May 2006\n   630     FBI        IDW       ORACLE 9.2.0.4 Upgrade Plan\n   631     FBI        IDW       Risk Management Plan, IDW, Version 1.0                Feb 2005\n   632     FBI        IDW       Risk Register, IDW (Spreadsheet)                      Dec 2005\n   633     FBI        IDW       System Security Plan, IDW, Version 2.0                May 2006\n                                Test & Evaluation Test Analysis Report (TETAR) for\n   634     FBI        IDW                                                              Jul 2004\n                                IDW, Version 1.1\n   635     FBI        IDW       Training Management Plan, IDW                         Jun 2004\n   636     FBI        IDW       Transition and Deployment Plan, IDW                   Jun 2004\n                                Appendix C: Test Cases and Scenarios, Workflow Part\n   637     FBI        LEO                                                             Jun 2006\n                                1 (Final Draft)\n   638     FBI        LEO       Appendix C: Workflow Part 2 (Final Draft)              Jun 2006\n   639     FBI        LEO       Appendix C: Workflow Part 3 (Final Draft)              Jun 2006\n                                Control Gate 4 & 5, LEO Reengineering/Relocate,\n   640     FBI        LEO                                                             Jun 2006\n                                Project Health Review\n   641     FBI        LEO       Earned Value Management Variances, LEO                May 2006\n   642     FBI        LEO       FBI LEO System Security Plan, dated 9 June 2006        Jun 2006\n\n\n                                          91\n\x0cItem ID             System or\n        Component                                       Title                           Date\nNumber               Project\n                                Implementation Plan for the LEO System Relocation of\n   643     FBI        LEO                                                              May 2006\n                                Primary Operations to the CJIS Division\n                                Installation Plan, LEO System Relocation of Primary\n   644     FBI        LEO                                                              Dec 2005\n                                Operations to the CJIS Division (Final Draft)\n   645     FBI        LEO       IT Contingency Plan, LEO, Version 1.0 (Draft)          May 2006\n   646     FBI        LEO       LEO CM Working Group Schedule                           Jun 2004\n                                LEO Configuration Management (CM) Processes,\n   647     FBI        LEO                                                              Jun 2004\n                                dated 21 June 2004\n   649     FBI        LEO       Project Implementation Schedule\n   650     FBI        LEO       Project Implementation Schedule (Draft)                Apr 2006\n   651     FBI        LEO       Project Implementation Schedule, Appendix B (Draft)    Apr 2006\n   652     FBI        LEO       Project Implementation Schedule, Appendix C\n                                Project Management Plan, LEO, Relocation and\n   653     FBI        LEO                                                              Jun 2006\n                                Reengineering Project\n                                Requirements Traceability Matrix (RTM) for the LEO\n   655     FBI        LEO       System Relocation of Primary Operations to the CJIS    Jun 2006\n                                Division (Draft)\n   656     FBI        LEO       Risk Register                                          Jun 2006\n                                System Test Plan, LEO System Relocation of Primary\n   657     FBI        LEO                                                              Jun 2006\n                                Operations to the CJIS Division (Final Draft)\n   658     FBI        LEO       Test Readiness Review, LEO Relocation                   Jun 2006\n                                Transition Plan, LEO System Relocation of Primary\n   659     FBI        LEO                                                              Jun 2006\n                                Operations to the CJIS Division (Final Draft)\n   660     FBI       R-DEx      Certification Test Plan, R-DEx, Version 1.6            Feb 2005\n   661     FBI       R-DEx      Certification Test Report, R-DEx, Version 1.6          Feb 2005\n                                Risk Assessment and Risk Management Matrix\n   662     FBI       R-DEx                                                              Jul 2005\n                                (RMM), R-DEx, Version 1.0\n                                Security Requirements Traceability Matrix (SRTM),\n   663     FBI       R-DEx                                                             Mar 2004\n                                Version 1.0\n                                System Security Plan, FBI Regional Data Exchange\n   664     FBI       R-DEx                                                             May 2006\n                                (R-DEx), Version 4.2\n                                 External Interface Checkout Test Report for NCIC\n   665     FBI       NCIC                                                              May 1999\n                                2000\n                                Concept of Operations, CJIS, NCIC 2000/IAFIS\n   668     FBI       NCIC                                                              Aug 1995\n                                Interface\n                                Configuration and Data Management Plan for NCIC\n   669     FBI       NCIC                                                              Feb 1998\n                                2000\n                                Facility Requirements and Installation Plan for NCIC\n   670     FBI       NCIC                                                               Jul 1998\n                                2000\n                                Fingerprint Matching Subsystem Beta Test Report,\n   672     FBI       NCIC                                                              May 1999\n                                NCIC 2000\n   673     FBI       NCIC       FMS Reintegration Test Report for NCIC 2000            Mar 1999\n\n\n                                          92\n\x0cItem ID             System or\n        Component                                       Title                            Date\nNumber               Project\n                                Interim Disaster Recovery Concept of Operations, CJIS\n   674     FBI       NCIC       Division Information Technology Management               Jun 2003\n                                Section, NCIC\n                                Maintainability Test Plan and Procedure for NCIC\n   675     FBI       NCIC                                                               May 1999\n                                2000\n   676     FBI       NCIC       Maintainability Test Plan for NCIC 2000                 Feb 1994\n   677     FBI       NCIC       Maintainability Test Report for NCIC 2000                Jun 1999\n   678     FBI       NCIC       NCIC 2000 Security Certification and Testing Analysis     Jul 1999\n   679     FBI       NCIC       NCIC 2000 Segment                                        Jun 1994\n   680     FBI       NCIC       NCIC 2000 Segment                                       May 1994\n   681     FBI       NCIC       Personnel Requirements and Training Plan for NCIC       Nov 1998\n                                Plan for Early Delivery of the FMS Subsystem, NCIC\n   682     FBI       NCIC                                                               Apr 1997\n                                2000 Program\n   683     FBI       NCIC       Risk Analysis of the NCIC 2000, Working Paper           Oct 1989\n   684     FBI       NCIC       Risk Management Plan for NCIC 2000, Revision 2          Feb 1996\n   685     FBI       NCIC       Security Certification Status Report                     Jun 1998\n   686     FBI       NCIC       Successive Level Integration Test Plan for NCIC 2000      Jul 1996\n   687     FBI       NCIC       System Engineering Management Plan for NCIC 2000        May 1996\n   688     FBI       NCIC       System Security Plan (SSP), NCIC                          Jul 2006\n                                Technical Data Collection Tool, CJIS Division, NCIC\n   689     FBI       NCIC\n                                (spreadsheet)\n   690     FBI       NCIC       Test and Evaluation Master Plan for NCIC 2000           Mar 1996\n   691     FBI       NCIC       Transition Plan for NCIC 2000                           Aug 1998\n                                Preliminary Transition Plan for NCIC,Volume I of VII,\n   693     FBI       NCIC                                                               Apr 1997\n                                Transition Overview\n   694     FBI       N-DEx      Certification Test Plan, N-DEx                          Oct 2004\n                                Concept of Operations, Law Enforcement National\n   695     FBI       N-DEx                                                              May 2006\n                                Data Exchange (N-DEx), Version 1.5\n                                Mission Needs Statement, Law Enforcement National\n   697     FBI       N-DEx                                                              Dec 2005\n                                Data Exchange (N-DEx), Version 1.0\n   699     FBI       N-DEx      Program Plan, Law Enforcement N-Dex                      Jul 2006\n                                Risk Management Plan, Law Enforcement N-DEx,\n   700     FBI       N-DEx                                                              Aug 2006\n                                Version 1.4\n   701     FBI       N-DEx      Risk Register Worksheet, N-DEx                           Jun 2006\n                                System Security Plan Attachment H - Risk Assessment,\n   702     FBI       N-DEx                                                               Jun 2004\n                                N-Dex Prototype, Version 1.1\n                                Concept of Operations, NGI Advanced Fingerprint\n   703     FBI        NGI                                                                Jan 2006\n                                Identification Technology Component\n                                Concept of Operations, NGI Disposition Reporting\n   704     FBI        NGI                                                                Jun 2006\n                                Improvements Component\n\n\n\n\n                                          93\n\x0cItem ID             System or\n        Component                                       Title                          Date\nNumber               Project\n                                Concept of Operations, NGI Enhanced IAFIS\n   705     FBI        NGI                                                              Jan 2006\n                                Repository Component\n                                Concept of Operations, NGI Interstate Photo System\n   706     FBI        NGI                                                              Jan 2006\n                                Enhancements Component\n                                Concept of Operations, NGI National Palm Print\n   707     FBI        NGI                                                              Jan 2006\n                                System Component\n                                Concept of Operations, NGI Quality Check\n   708     FBI        NGI                                                              Jan 2006\n                                Automation Component\n   709     FBI        NGI       Configuration Management Plan, NGI                    Apr 2006\n                                Investment Management/Project Review Board\n   710     FBI        NGI                                                             Apr 2005\n                                (IMPRB), Summary Notes\n                                Earned Value, Template for Monthly Project Status\n   711     FBI        NGI\n                                Reporting\n   713     FBI        NGI       Investment Management/Project Review Board            Feb 2006\n   714     FBI        NGI       Cost Benefit Analysis Worksheet\n                                Milestone Report, NGI Requirements Analysis, Draft\n   715     FBI        NGI                                                             May 2006\n                                Rebaseline 2\n   716     FBI        NGI       Mission Needs Statement, NGI, Final, Version 1.0      Apr 2006\n                                PIA, Advanced Fingerprint Identification Technology\n   719     FBI        NGI\n                                (AFIT)\n   720     FBI        NGI       PIA, Enhanced IAFIS Repository\n   721     FBI        NGI       PIA, Interstate Photo System (IPS)\n   722     FBI        NGI       PIA, National Palm Print System (NPPS)\n   725     FBI        NGI       Program Management Review                             May 2006\n   726     FBI        NGI       Project Management Plan, NGI, Version 1.0              Jan 2006\n   727     FBI        NGI       Quality Assurance Plan, NGI                           May 2006\n   728     FBI        NGI       Risk Register, NGI                                    May 2006\n   729     FBI        NGI       Risk Management Plan, NGI                             Nov 2005\n                                Certification Test Plan, NICS/E-Checks/NICS Call\n   730     FBI       NICS                                                             Sep 2005\n                                Center\n                                Concept of Operations, NICS Efficiency Upgrade\n   731     FBI       NICS                                                             Mar 2003\n                                Project\n                                Configuration Management Plan, CJIS Division,\n   732     FBI       NICS                                                             Aug 2002\n                                Revision 1.2\n   733     FBI       NICS       Contingency Plan, NICS                                Dec 2001\n   735     FBI       NICS       Contingency Plan, NICS and E-Check                    Sep 2005\n   737     FBI       NICS       Formal Qualification Test Plan, NICS                    Jul 1998\n   739     FBI       NICS       Formal Qualification Test Report, NICS                Oct 1998\n   740     FBI       NICS       Installation Plan, NICS                                Jun 1998\n   741     FBI       NICS       NICS Efficiency Upgrade Installation Plan, Draft      Sep 2003\n   742     FBI       NICS       NICS Rehost Transition Plan                           May 2004\n\n\n                                          94\n\x0cItem ID             System or\n        Component                                      Title                          Date\nNumber               Project\n    743   FBI         NICS      Quality Assurance Plan, CJIS Division                Mar 2005\n    744   FBI         NICS      Security Requirements Traceability Matrix, NICS\n                                Superdome System Administration and Installation\n   745     FBI       NICS                                                             Jul 2005\n                                Cookbook, NICS [Rehost]\n   746     FBI       NICS       System Security Plan, NICS/ FBI                      May 1998\n                                System Test Plan, NICS Efficiency Upgrade Project,\n   747     FBI       NICS                                                            Jun 2003\n                                Draft\n   748     FBI       NICS       System Tests, NICS\n   749     FBI       NICS       Transition Plan NICS Efficiency Upgrade Project      Oct 2003\n                                Windows 2003 Server Installation Cookbook, NICS,\n   750     FBI       NICS                                                            Mar 2006\n                                Revision 3.0 [Efficiency Upgrade]\n   751     FBI      SCION       Full Privacy Impact Assessment, TS/SCI LAN           Dec 2002\n   752     FBI      SCION       Configuration Management Plan, SCION                 Dec 2003\n   753     FBI      SCION       System Security Plan, SCION                          Aug 2004\n   754     FBI      SCION       Certification Test Results, TS/SCI LAN               May 2003\n   755     FBI      Sentinel    Acquisition Plan (FD-911), SENTINEL, Version 2.0     Aug 2005\n   757     FBI      Sentinel    Communication Plan, SENTINEL, Version 1.0            Sep 2005\n                                Configuration Management Plan, SENTINEL PMO,\n   758     FBI      Sentinel                                                          Jul 2005\n                                Version 1.1\n   759     FBI      Sentinel    Deliverables, SENTINEL SOW, Attachment 2\n   760     FBI      Sentinel    IMPRB Acquisition Plan Review, Gate 2 Signatures      Jul 2005\n   761     FBI      Sentinel    Incremental Development Plan (IDP), SENTINEL,         Jul 2005\n   762     FBI      Sentinel    Investment Evaluation Form, Gate 1 Signatures         Jul 2005\n                                Meeting Minutes, Contract Implementation Review\n   763     FBI      Sentinel                                                         Mar 2006\n                                (CIR)-Part 1\n                                Meeting Minutes, Contract Implementation Review\n   764     FBI      Sentinel                                                         Apr 2006\n                                (CIR)-Part 2\n                                Meeting Minutes, Requirements Clarification Review\n   765     FBI      Sentinel                                                         May 2006\n                                (RCR), Version 1.0\n   766     FBI      Sentinel    Mission Needs Statement                               Jul 2005\n   769     FBI      Sentinel    Risk Register, SENTINEL                              Jun 2006\n   770     FBI      Sentinel    Program Management Plan, SENTINEL, Version 1.2       Aug 2005\n   771     FBI      Sentinel    Quality Management Plan, SENTINEL, Version 1.0        Jul 2005\n   772     FBI      Sentinel    Risk Management Plan, SENTINEL, Version 1.2           Jul 2005\n   773     FBI      Sentinel    Source Selection Decision Document for SENTINEL      Mar 2006\n                                System Concept of Operations, SENTINEL, Version\n   775     FBI      Sentinel                                                          Jul 2005\n                                1.1\n                                Systems Engineering Management Plan (SEMP),\n   776     FBI      Sentinel                                                         Jun 2005\n                                SENTINEL\n   777     FBI      Sentinel    Test and Evaluation Master Plan (TEMP), SENTINEL      Jul 2005\n\n\n\n\n                                          95\n\x0cItem ID             System or\n        Component                                      Title                           Date\nNumber               Project\n                                90 Day Evaluation Pilot, FDF Automation System User\n   778     FBI       SMIS                                                              Jan 2005\n                                Requirements for FBI Security Divisions\n   782     FBI       SMIS       Certification Test Plan, FDF-A                        Jan 2006\n   783     FBI       SMIS       Certification Test Report, FDF-A                      Feb 2006\n   784     FBI       SMIS       Concept of Operations, FBI SMIS, Version 2.0          Dec 2004\n                                Configuration Management Plan, SMIS, PMO, Version\n   785     FBI       SMIS                                                              Jul 2005\n                                1.0\n                                Control Gate Review Exit Report, SMIS, FDF-A, Gate\n   786     FBI       SMIS                                                             Mar 2006\n                                6 - OAR\n   788     FBI       SMIS       Cost Benefit Analysis, FDF-A, (Spreadsheet)\n                                Initial Privacy Impact Assessment, Polygraph\n   791     FBI       SMIS                                                             Aug 2005\n                                Workflow Management Application\n   792     FBI       SMIS       Initial Privacy Impact Assessment, SMIS               Aug 2005\n                                Investment Management/ Project Review Board\n   793     FBI       SMIS                                                             Aug 2005\n                                (IMPRB), Summary Notes\n                                Investment Management/ Project Review Board\n   794     FBI       SMIS                                                              Jan 2005\n                                (IMPRB), Summary Notes\n   797     FBI       SMIS       OMB Exhibit 300 for BY 2007                            Jan 2006\n                                Privacy Impact Assessment, Security Division\n   798     FBI       SMIS       Implementation the Financial Disclosure Forms         Feb 2006\n                                Analyzer\n                                Project Health Review, SMIS, FDF-A, Gate 2\n   799     FBI       SMIS                                                             Mar 2006\n                                Approval\n   800     FBI       SMIS       Project Management Review, SMIS                        Jan 2006\n   801     FBI       SMIS       Project Management Review, SMIS                       Feb 2006\n   802     FBI       SMIS       Project Management Review, SMIS                       Mar 2006\n   803     FBI       SMIS       Project Management Review, SMIS                       Dec 2005\n   804     FBI       SMIS       Project Management Review, SMIS                       Nov 2005\n   805     FBI       SMIS       Project Management Review, SMIS                       Apr 2005\n   806     FBI       SMIS       Project Management Review, SMIS                         Jul 2005\n   807     FBI       SMIS       Project Management Review, SMIS                        Jun 2005\n   808     FBI       SMIS       Project Management Review, SMIS                       May 2005\n   809     FBI       SMIS       Project Management Review, SMIS                       Oct 2005\n   810     FBI       SMIS       Project Management Review, SMIS                       Sep 2005\n   811     FBI       SMIS       Project Management Review, SMIS                       May 2006\n                                Project Plan, SMIS Facilities Certification and\n   812     FBI       SMIS                                                             Mar 2006\n                                Accreditation Component, Draft\n                                Project Plan, SMIS Financial Disclosure Forms\n   813     FBI       SMIS                                                             Feb 2006\n                                Analyzer Component, Draft\n   814     FBI       SMIS       Project Plan, SMIS, Version 0.7, Draft                 Jul 2005\n   815     FBI       SMIS       Quality Management Plan, SMIS, Version 1.0             Jul 2005\n   816     FBI       SMIS       Risk Management Matrix, FDF-A, Version 1.0            Feb 2006\n\n                                          96\n\x0cItem ID             System or\n        Component                                       Title                            Date\nNumber               Project\n    817   FBI         SMIS      Risk Management Plan, SMIS, Final 1.1                   Dec 2005\n    818   FBI         SMIS      Risk Register, SMIS                                     Mar 2006\n                                Security Concept of Operations for the Automated\n   819     FBI       SMIS       Facilities Management System for Facilities             May 2006\n                                Certification and Accreditation\n                                Security Concept of Operations, Polygraph Workflow\n   820     FBI       SMIS                                                               Oct 2005\n                                Management Application\n   823     FBI       SMIS       SMIS Master Schedule\n   825     FBI       SMIS       System Concept of Operations, E-Disclose\n                                System Security Plan, Financial Disclosure Forms\n   826     FBI       SMIS                                                                Jan 2006\n                                Analyzer (FDF-A), Version 1.2\n                                System Security Plan, Polygraph Workflow\n   827     FBI       SMIS                                                               Apr 2006\n                                Management System\n                                Test Analysis Report for the Polygraph Workflow\n   828     FBI       SMIS                                                               Nov 2005\n                                Management Application\n                                Test and Evaluation Master Plan for the Polygraph\n   829     FBI       SMIS                                                               Aug 2005\n                                Workflow Management Application\n   830     FBI       SMIS       Test Procedure Results, PWMA                            Nov 2005\n                                Testing and Evaluation Master Plan Unit Testing and\n   831     FBI       SMIS                                                               Mar 2006\n                                Traceability Matrix, SMIS FCA Application\n   832     FBI       SMIS       Threat Assessment Report, FDF-A                         Feb 2006\n                                Training Plan for the Polygraph Workflow\n   833     FBI       SMIS                                                               Sep 2005\n                                Management Application\n   835     FBI        TRP       IT Maintenance & Licensing Dashboard                    Jun 2006\n   836     FBI        TRP       Project Summary Report, TRP                             Dec 2006\n   838     FBI        TSC       Deployment Plan                                         Feb 2006\n                                ATO The TSC Terrorist Screening Database 1B\n   839     FBI        TSC                                                               Dec 2004\n                                System (TSDB-1B)\n   840     FBI        TSC       IT Risk Management Matrix, TSC\n   842     FBI        TSC       IV & V Test Procedures for TSDB 1.8.0.2, TSC\n   843     FBI        TSC       IV & V Test Report, TSDB 1.8.0.2, TSC                   May 2006\n   844     FBI        TSC       Project Schedule TSDB 1 8 Mar                            Jun 2006\n                                Risk Management Plan, Terrorist Screening Center\n   845     FBI        TSC                                                               Apr 2006\n                                (TSC), Version 1.7 (Draft)\n   846     FBI        TSC       System Security Plan, TSDB Phase 1B, Version 1.2         Jul 2005\n   847     FBI        TSC       Test Management Plan, TSDB 1.7.1                        Mar 2006\n                                Independent Verification and Validation (IV &V) Plan,\n   848     FBI        TSC\n                                TSC\n   849     FBI        TSC       TSDB Automated Ingest Project Plan                      Apr 2006\n   850     FBI        TSC       Template for Monthly Project Status Report\n   851    EOIR       eWorld     Project Management Plan, CASE Court Pilot               Apr 2006\n\n\n                                          97\n\x0cItem ID             System or\n        Component                                       Title                            Date\nNumber               Project\n                                Project Management Plan, Digital Audio Recording\n   852    EOIR       eWorld                                                             May 2006\n                                Project, Version 0.05\n                                Project Management Plan, Immigration Review\n   853    EOIR       eWorld                                                             May 2006\n                                Information Exchange System Phase 1 Design (Draft)\n                                Market Survey, EOIR, Digital Audio Recording\n   854    EOIR       eWorld                                                             Apr 2006\n                                Project, Version 0.16 (Draft)\n                                IT Contingency Plan, EOIR, JCON-II/CASE, Version\n   855    EOIR       eWorld                                                             Nov 2005\n                                2.0\n   856    EOIR       eWorld     Configuration Management Plan, EOIR                     Mar 2006\n                                Configuration Management Plan, eWorld, Version 1.0\n   857    EOIR       eWorld                                                             Feb 2006\n                                (Draft)\n                                Privacy Impact Assessment, Executive Office for\n   860    EOIR       eWorld                                                             Apr 2006\n                                Immigration Review\n   862    EOIR       eWorld     OCIO: Project Dashboard\n   863    EOIR       eWorld     System Security Plan (SSP) for JCON-II/CASE, EOIR       Mar 2006\n   864    EOIR       eWorld     DOJ Validation Test Script Forms, JCON-II/CASE\n                                System Security Policy, EOIR, JCON-II/CASE\n   865    EOIR       eWorld                                                             Nov 2005\n                                Network\n                                Incident Response Plan for JCON-II/CASE, EOIR,\n   867    EOIR       eWorld                                                             Feb 2006\n                                Version 2.1\n                                Request for Approval of EOIR Quality Assurance\n   868    EOIR       eWorld                                                             Jun 2006\n                                Guidelines\n                                Strategic Plan 2005-2010, Integrated Wireless Network\n  1004    JMD         IWN                                                               Jun 2006\n                                (IWN), (Draft)\n  1005    JMD        JCON       Strategic and Tactical Plan, JCON                       Apr 2005\n  1008    JMD         PKI       Project Plan Schedule\n                                Request for Information (RFI), JCON PMO, Version\n  1012    JMD        JCON                                                               Apr 2006\n                                1.0\n  1013   ODAG         OFC       Project Schedule, Milestones (Spreadsheets)\n  1014   ODAG         OFC       Project Schedule (Spreadsheets)\n  1017     FBI        LEO       OMB Exhibit 300 for BY 2008, CEI\n  1017    JMD         PKI       OMB Exhibit 300 for BY 2008, CEI\n                                Security Operating Procedures Guide, Firebird\n  1021    DEA        Firebird                                                           Mar 2004\n                                (FSOPG), Version 4.0\n  1022    DEA         M204      Events WBS CY 2004                                      Dec 2006\n  1023    FBI       CARTSAN     OMB Exhibit 300 for BY 2008                             Dec 2006\n  1024    FBI          DCS      OMB Exhibit 300 for BY 2008                             Aug 2006\n  1025    FBI        EDMS       OMB Exhibit 300 for BY 2008                             Aug 2006\n  1026    FBI        FTTTF      OMB Exhibit 300 for BY 2008                             Dec 2006\n  1027    FBI         IAFIS     OMB Exhibit 300 for BY 2008                             Aug 2006\n  1028    FBI         NCIC      OMB Exhibit 300 for BY 2008                             Aug 2006\n  1029    FBI        N-DEx      OMB Exhibit 300 for BY 2008                             Dec 2006\n\n\n                                          98\n\x0cItem ID             System or\n        Component                                       Title                           Date\nNumber               Project\n   1030   FBI         NGI       OMB Exhibit 300 for BY 2008                            Aug 2006\n   1031   FBI         NICS      OMB Exhibit 300 for BY 2008                            Dec 2006\n   1032   FBI        R-DEx      OMB Exhibit 300 for BY 2008                            Dec 2006\n   1033   FBI        Sentinel   OMB Exhibit 300 for BY 2008                            Aug 2006\n   1034   FBI         TRP       OMB Exhibit 300 for BY 2008                            Dec 2006\n   1035   FBI         TSC       OMB Exhibit 300 for BY 2008                            Dec 2006\n   1036   FBI        BRIDG      OMB Exhibit 300 for BY 2008                            Aug 2006\n                                Source Selection Plan, FBI Sentinel Program, Version\n  1037     FBI      Sentinel                                                           Aug 2005\n                                2.95\n  1038    FBI       Sentinel    Statement of Work, Sentinel, Version 2.1               Aug 2005\n  1039    FBI       Sentinel    Lessons Learned, Sentinel, Version 1.0                  Jul 2005\n  1369   ODAG        OFC        Third Party Tool Recommendations                       Jun 2005\n  1370   ODAG        OFC        Background Comp Analysis\n                                Draft Comparative Analysis of OCDETF Requirements\n  1371   ODAG         OFC                                                              Apr 2003\n                                with Existing DOJ Data Warehousing Efforts\n  1372   ODAG         OFC       Comparative Analysis of the FBI\'s SCOPE and FTTTF      Apr 2003\n  1374   ODAG         OFC       FTTTF Tech Concept of OPS                              Feb 2003\n                                SCOPE Functional Requirements with NEDRS\n  1375   ODAG         OFC\n                                Comparison\n  1376   ODAG         OFC       Survey of Data Warehousing Tools - FTTTF, NEDRS        Mar 2004\n                                Comparative Analysis of the FBIs SCOPE and DEAs\n  1377   ODAG         OFC                                                              Feb 2003\n                                NEDRS Systems\n  1378    DEA       Firebird    OMB Exhibit 300 for BY 07                              Sep 2005\n                                Firebird Information Technology Support (FITS)\n  1379    DEA       Firebird                                                           Mar 2004\n                                Market Research Report\n                                Firebird Information Technology Support (FITS)\n  1380    DEA       Firebird                                                           Mar 2004\n                                Acquisition Strategy Executive Summary\n  1383    JMD        LCMS       Privacy Impact Assessment (Draft)                      May 2005\n  1384    DEA        Merlin     Security Test & Evaluation Plan and Procedures         Aug 2003\n  1385    DEA        Merlin     Certification Results                                  Aug 2003\n  1386     FBI       N-Dex      Privacy Impact Assessment, N-Dex                       Mar 2006\n  1387     FBI       N-Dex      Project Schedule, N-Dex\n  1388    JMD         IWN       Market Research Summary                                Apr 2004\n  1389    JMD         IWN       Concept of Operations, IWN\n  1390    OJP        JGMS       Validation Test Script Forms, GMS                      Feb 2006\n  1392    BOP        ITS-II     OMB Exhibit 300 BY 2006\n  1394    DEA        M204       Risk Inventory, M204\n  1395    ATF        NIBIN      Test Rig Test Evaluation Summary - Phase 1 & 2         Jan 2006\n  1396    ATF        NIBIN      Test Rig Test Evaluation Summary - Phase 3             Mar 2006\n  1397    ATF        NIBIN      Testing on Test Rig Test Plan - Phases 1 & 2, NIBIN    Jan 2006\n\n\n                                          99\n\x0cItem ID             System or\n        Component                                       Title                             Date\nNumber               Project\n   1398   ATF        NIBIN      Testing on Test Rig Test Plan - Phase 3, NIBIN           Mar 2006\n   1399   JMD        UFMS       Privacy Impact Assessment, UFMS, Working Draft           Dec 2006\n                                EIS Information System Objective Architecture (Draft),\n  1400    DEA         EPIC                                                               Aug 1991\n                                EPIC\n  1401    DEA        EPIC       EIS Objective System Description, EPIC                   Sep 1993\n  1402    DEA        EPIC       Internal Database Migration Project (Work Plan), EPIC     Jun 1997\n  1403    DEA        EPIC       Internal Database Migration Requirements, EPIC            Jun 1997\n  1404    DEA        EPIC       Seizure System Risk Assessment Report, EPIC              May 2005\n  1405    DEA        EPIC       Information Systems Project management Plan, EPIC        Sep 1991\n  1408    DEA        EPIC       EIS Risk Impacts, EPIC\n  1409    DEA        EPIC       Year 2000 Test Plan, EPIC\n  1410    DEA        EPIC       Operational Test Report                                   Jan 1993\n  1411    DEA        EPIC       Initial Privacy Impact Assessment for EID\n  1412    DEA        EPIC       Development Inspection Logs, EPIC\n  1413    ATF        NIBIN      Deployment of the NIBIN Enterprise - Set 9               Jan 2006\n  1414    ATF        NIBIN      NIBIN Deployment Plan, IBIS 3.4.6 Upgrade                Mar 2006\n  1415    ATF        NIBIN      NIBIN Deployment Schedule, IBIS 3.4.6\n  1416    ATF        NIBIN      Brass TRAX Installation Schedule Template\n  1417    JMD        UFMS       Debrief on Vendor Market Analysis Results                Nov 2002\n  1418    JMD        UFMS       Financial Vendor Response Summary Draft\n  1419    JMD        UFMS       Summary of Market Research\n                                ST & E Plans and Procedures, Appendix E , Model 204\n  1420    DEA        M204                                                                Nov 2004\n                                Corporate Systems\n                                Certification Results, Appendix F, Model 204\n  1421    DEA        M204                                                                Nov 2004\n                                Corporate Systems\n  1422    DEA        Merlin     User Training Plan (Section 1.14 of Proposal 5209)       Dec 2005\n  1423    DEA        Merlin     Classified Network Integration Test Plan & Procedures     Jun 2006\n  1424    DEA        Merlin     Merlin Functional Test Plan and Procedures                 Jul 2006\n  1425    DEA        Merlin     Merlin Integration Test Plan and Procedures                Jul 2006\n  1426    DEA        Merlin     QA Procedures for Merlin Builds                          May 2006\n  1427    DEA        Merlin     Change Management Recommendations                         Jun 2006\n                                Requirements for Classified Network Integration Test\n  1428    DEA        Merlin                                                              May 2006\n                                Facility\n                                System Engineering, Infrastructure Test, and\n  1429    DEA        Merlin                                                              Dec 2005\n                                Integration (Section 1.2 of Proposal 5209)\n                                Deployment of the Merlin System Plan (Section 1.1.6\n  1430    DEA        Merlin                                                              Dec 2005\n                                of Proposal 5209)\n  1431    DEA        Merlin     Configuration Management Plan for the Merlin Project     Sep 2006\n  1432    DEA        Merlin     Merlin Quality Assurance Plan                            Feb 2005\n  1433    DEA        Merlin     Merlin Site Checklist                                    Apr 2007\n  1434    FBI       Sentinel    Sentinel Phase 1 Privacy Impact Assessment               Feb 2006\n\n\n\n                                         100\n\x0c                                                              APPENDIX VI\n\n                           SYSTEM SUMMARIES\n\n\n      The system summaries in this appendix contain information from\ndocuments the components submitted that we did not verify. The purpose is\nto provide readers additional information on each system or project and the\nenvironment in which it operates or is expected to operate.\n\n       The lists of studies, plans, and evaluations include documents\nrepresenting entire studies, plans, and evaluations we determined complied\nwith one or more of the standards described in Finding 1. The lists do not\ninclude all other artifacts the components submitted that we determined\ncontributed to compliance with the standards, such as spreadsheets and\nbriefing slides.\n\n      The document titles in the lists may include additional acronyms that\nwe have defined in the text preceding the document list for each system.\nAcronyms not found in the text of this appendix are located in Appendix II.\nBlank cells in the Date column indicate items for which no date was\nprovided.\n\n\n\n\n                                    101\n\x0c                     National Integrated Ballistics Information Network\n                    Bureau of Alcohol, Tobacco, Firearms, and Explosives\n\n                 The ATF\xe2\x80\x99s National Integrated Ballistics Information Network (NIBIN) program\nsupports criminal investigations in conjunction with the Integrated Ballistics Identification\nSystem (IBIS), a nationally distributed ballistic evidence-imaging database. This database\nassists state and local law enforcement officials in identification of firearms and bullets collected\nat crime locations and allows for comparison and correlation to other crime scene evidence or\nrecovered crime guns. NIBIN allows for the ATF to provide ballistic imaging, comparison\nequipment, and the network over which it communicates to 182 state and local law enforcement\npartners at 239 data remote sites. State and local NIBIN partners enter bullet and cartridge\ncasing evidence into the systems and conduct electronic comparisons to find potential matches.\n"Hits" or matches between crimes, not otherwise known to be related, assist law enforcement\nofficials in locating repeat violent offenders. The program began spending funds in FY 1996,\nand the system is operational.\n\n                             NIBIN Studies, Plans, and Evaluations\n     Document Type                              Title                                Date         Item #\n Business Case Study        OMB Exhibit 300 for BY 2007                             May 2006            8\n Privacy Impact\n                            Privacy Threshold Analysis, IBIS\n Assessment                                                                                               9\n Risk Management Plan       Risk Assessment, NIBIN and IBIS                          Jun 2005            13\n                            Request for Justification for Other Than Full and\n Acquisition Plan\n                            Open Competition                                        Jan 2002              12\n Security Plan              Security Plan, NIBIN and IBIS                           Jun 2005              14\n Test Plan                  Security Test and Evaluation, NIBIN                     Dec 2005              15\n Test Plan                  Testing on Test Rig Test Plan \xe2\x80\x93 Phase 3, NIBIN          Mar 2006            1398\n                            Testing on Test Rig Test Plan \xe2\x80\x93 Phases 1 & 2,\n Test Plan\n                            NIBIN                                                   Jan 2006            1397\n Implementation Plan        Deployment of the NIBIN Enterprise \xe2\x80\x93 Set 9              Jan 2006            1413\n Implementation Plan        NIBIN Deployment Plan, IBIS 3.4.6 Upgrade               Mar 2006            1414\n Training Plan              NIBIN Training Set 11, Version 1.2, Draft                                     17\n Contingency/Continuity\n                            Contingency Plan \xe2\x80\x93 Appendix I, NIBIN\n Plan                                                                                                      2\n Contingency/Continuity\n                            Contingency Plan, DOJ, NIBIN and IBIS\n Plan                                                                               Jun 2005               3\n Test Report                Security Test and Evaluation, NIBIN                     Dec 2005              15\n Test Report                Security Testing and Evaluation, NIBIN                  Dec 2005              16\n                            Test Rig Test Evaluation Summary \xe2\x80\x93 Phase 1 &\n Test Report\n                            2                                                       Jan 2006            1395\n Test Report                Test Rig Test Evaluation Summary \xe2\x80\x93 Phase 3              Mar 2006            1396\n\n\n\n\n                                                102\n\x0c                                  Inmate Telephone System-II\n                                      Bureau of Prisons\n\n        The BOP\xe2\x80\x99s Inmate Telephone System-II (ITS-II) project began spending funds in FY\n1998. The project is a centralized inmate calling system intended to provide inmates with a\nsecure, efficient, and cost effective means of maintaining contact with family, friends, and the\ncommunity while at the same time preventing crime, fraud, and abuse by inmates. It provides\nthe BOP with enhanced call monitoring, call recording, and reporting capabilities. ITS-II is\nfunded and maintained using non-appropriated funds generated from the Commissary Trust\nFund. Maintenance costs for the system are established and funded from the actual costs of\nservice charges for telephone usage. Annual funding is based on the projected sales for that year\nwhich exceeds the outlays for the project. ITS-II is fully installed and is in a steady-state status.\nIt consists of local networks at all BOP facilities and primary and secondary Central Office\nFacilities and is connected via a Wide Area Network.\n\n                             ITS-II Studies, Plans, and Evaluations\n    Document Type                                 Title                              Date        Item #\n Market/Other Research      Request for Comment                                                     416\n                            Analysis of Alternatives, Next Generation\n Business Case Study                                                                 Jul 1996           18\n                            Inmate Telephone System\n Business Case Study        OMB Exhibit 300 BY 2006                                                1392\n Privacy Impact\n                            Privacy Impact Assessment                               Apr 2006            20\n Assessment\n Acquisition Plan           Individual Acquisition Planning                         Jan 1997         19\n Project Plan               Program Plan                                           May 2005         412\n                            Inmate Telephone System (ITS-II) Security\n Security Plan                                                                      Dec 2004            21\n                            Plan\n Systems Engineering\n                            Engineering Management Plan                             Apr 2005        415\n Management Plan\n                            Site Network Integration Plan, ITS-\n Conversion Plan                                                                    Nov 2001            22\n                            II/TRUFACS\n                            Site Network Integration Plan, ITS-\n Implementation Plan                                                                Nov 2001            22\n                            II/TRUFACS\n Contingency/Continuity\n                        Contingency Plan                                            Nov 2004        414\n Plan\n\n\n\n\n                                                103\n\x0c                                         Concorde\n                                  Drug Enforcement Agency\n\n        The DEA is the federal entity charged with the enforcement of the controlled substance\nlaws and regulations. It has approximately 300 locations throughout the world and utilizes\nvarious \xe2\x80\x9cstove-piped\xe2\x80\x9d applications in support of primary businesses \xe2\x80\x93 criminal data gathering,\ncase status tracking, lab analysis, evidence and seized asset handling, licit drug manufacturing\nand distribution tracking (DEA\xe2\x80\x99s diversion function), and administrative functions such as\ntracking agent property (weapons, fleet, badges), and agent tasking. The Concorde program is\nintended to eliminate these stove-piped systems by integrating business functions and allowing\nfor information sharing across the main DEA business areas.\n\n\n                           Concorde Studies, Plans, and Evaluations\n     Document Type                              Title                              Date        Item #\n Privacy Impact\n                           Initial Privacy Impact Assessment , Concorde                            35\n Assessment\n Risk Management Plan      Risk Management Plan, Concorde, Version 1.0            Feb 2005         46\n                           Statement of Work/Acquisition Plan, Concorde,\n Acquisition Plan                                                                Nov 2002          49\n                           Version 1.0\n                           Project Management (PMP), IMPACT Fiscal\n Project Plan                                                                     Sep 2004         42\n                           Year 2004, Version 2.1\n Project Plan              OMB Exhibit 300 for BY 2007                            Sep 2005         39\n                           System Security Authorization Agreement\n Security Plan                                                                   Mar 2002          50\n                           (SSAA), Appendix E, Web Architecture\n Configuration             Configuration Management Plan, Concorde,\n                                                                                  Jul 2004         29\n Management Plan           Version 1.0\n                           Quality Management Plan (QMP), Office of\n Quality Assurance Plan                                                           Sep 2005         83\n                           Information Systems (SI), Version 4.1\n                           Project Test Plan (PTP), IMPACT, Release 2.0,\n Test Plan                                                                        Feb 2005         44\n                           Version 1.0\n Implementation Plan       Project Deployment Plan, Concorde, Version 1.0         Sep 2004         41\n                           Training Program, PMP Concorde, FY 2006,\n Training Plan                                                                    Oct 2005         51\n                           Version 1.0\n Contingency/Continuity\n                        Contingency Plan, Web Architecture, Version 2.0          Mar 2006          30\n Plan\n                        Operational Test for Impact on Security (OTIS)\n Test Report                                                                      Jul 2002         40\n                        Report of the Pilot Implementation, IMPACT\n                        System Security Authorization Agreement\n Test Report                                                                     Mar 2002          50\n                        (SSAA), Appendix E, Web Architecture\n Performance            OCIO: Project Dashboard Project Managers\n                                                                                 Aug 2005          38\n Evaluation             Worksheet, Concorde\n\n\n\n                                              104\n\x0c        In the 1990\xe2\x80\x99s, DEA introduced the agency-wide Firebird client/server, which is the core\nlocal area network. Concorde is built on the Firebird infrastructure. The focus of Concorde is\nthe investigative and case management process.\n\n        The Concorde project is composed of four major technology enhancements:\nInvestigative Management Program and Case Tracking System (IMPACT), Plan Enforcement\nTracking System (PlanETS), Statistical Management and Report Tracking System (SMARTS),\nand the Centralized Evidence Reporting and Tracking System (CERTS). Although the OMB\nexhibit 300 shows the project began spending funds in FY 2003, IMPACT\xe2\x80\x99s pilot\nimplementation was released in 1999. The scheduled completion for the entire project is the end\nof FY 2009.\n\n\n\n\n                                              105\n\x0c                                        E-Commerce\n                                  Drug Enforcement Agency\n\n        The DEA\xe2\x80\x99s Office of Diversion Control (OD) regulates the manufacture and distribution\nof controlled substances in the United States. This regulatory control is designed to prevent the\ndiversion of legitimate pharmaceutical drugs into illegal channels and to ensure that there is a\nsufficient supply for legitimate medical uses while preventing the introduction of contraband\ncontrolled substances into the legal distribution channels.\n\n                        E-Commerce Studies, Plans, and Evaluations\n     Document Type                              Title                              Date       Item #\n                          Economic Impact Analysis of the Electronic\n Business Case Study                                                             Mar 2005           58\n                          Orders Rule\n                          Initial Economic Impact Analysis of the\n Business Case Study                                                             Mar 2003           61\n                          Proposed Electronic Orders Rule\n Business Case Study      OMB Exhibit 300 for BY 2007, Final CSOS                 Sep 2005          64\n                          Detailed Privacy Impact Assessment,\n Privacy Impact\n                          Attachment: DEA CSOS Privacy Policy,                    Sep 2005          56\n Assessment\n                          Section IV\n                          Facilitated Risk Assessment Process, DEA\n Risk Management Plan Diversion Control E-Commerce PKI, SSAA,                    Dec 2003           60\n                          Appendix G, Version 1.0\n                          Risk Management Plan, DEA Diversion Control,\n Risk Management Plan                                                             Oct 2005          72\n                          E-Commerce System, Version 1.0\n                          Program Management Plan, DEA Diversion\n Project Plan                                                                    Nov 2004           68\n                          Control E-Commerce PKI, Version 3.1\n Security Plan            System Security Plan, CSOS, Version 1.0                 Jun 2005          74\n                          Operational and Technical Architecture, Public\n Systems Engineering\n                          Key Infrastructure Analysis, DEA Diversion              Jun 2003          65\n Management Plan\n                          Control E-Commerce PKI\n Configuration            Configuration Management Plan, DEA Diversion\n                                                                                  Feb 2006          53\n Management Plan          Control E-Commerce System, Version 1.0\n                          Process and Product Quality Assurance, DEA\n Quality Assurance Plan Diversion Control E-Commerce System,                     May 2005           67\n                          Version 1.0\n                          Acceptance Test Plan, Public Key Infrastructure\n Test Plan                                                                        Jan 2005          52\n                          Analysis, Diversion PKI, CSOS\n                          Test Plan and Reporting Procedures, CSOS/\n Test Plan                                                                       Dec 2001           75\n                          EPCS\n                          Training Plan, Public Key Infrastructure\n Training Plan                                                                   Aug 2002           76\n                          Analysis, DEA Electronic Commerce PKI\n                          Contingency Plan, DEA Diversion Control E-\n Contingency/Continuity\n                          Commerce PKI System (EPCS/CSOS), Version               Nov 2003           54\n Plan\n                          1.0\n\n\n                                              106\n\x0c     Document Type                            Title                                  Date       Item #\n Contingency/Continuity Contingency Plan, DEA Diversion E-Commerce\n                                                                                   May 2005             55\n Plan                   System Security Plan, Appendix L, Version 1.1\n                        System Security Authorization Agreement\n Test Report                                                                        Mar 2004            73\n                        (SSAA), Appendix F, CSOS and EPCS PKI\n                        Diversion Metrics Implementation Report, DEA\n Post-Implementation\n                        Diversion Control, E-Commerce System,                       Jan 2006            57\n Evaluation\n                        Version 1.0\n\n       The Government Paperwork Elimination Act (GPEA) of 1999 (Title XXII of\nPublic Law 105-277) mandates that Federal agencies allow for the option of electronic\nsubmission of required records and for the use of electronic signatures when practicable.\n\n        In July 1999, DEA undertook the initiative to begin designing two e-commerce initiatives\nthat would enable industry to conduct e-commerce. The first project was called the\nManufacturers and Distributors (MADI) Public Key Infrastructure (PKI) Analysis and Design\nProgram, which involved the designing of a PKI proof-of-concept to better oversee and manage\nthe transfer of Schedule II controlled substances between DEA registrants, manufacturers,\nwholesalers, and pharmacies. The second project was called DEA \xe2\x80\x93 Department of Veterans\nAffairs (DEVA) PKI Pilot Program, which involved designing a public key infrastructure\narchitecture suitable for use in transmitting prescriptions electronically and identifying aspects of\nthe relationship between the physician and the pharmacy that can be enhanced through the\nimplementation of a PKI.\n\n       The initial phases of both projects entailed requirements and design analysis. The next\nphases of the e-commerce projects introduced a change in the project titles: Controlled\nSubstance Ordering System (CSOS) and Electronic Prescriptions for Controlled Substances\n(EPCS). The DEA and DVA pilot continues under the EPCS project.\n\n      The CSOS/EPCS project began spending funds in FY 1999 and is estimated to be\ncomplete in FY 2016. The DEA has begun the collection and analysis of CSOS orders.\n\n\n\n\n                                                107\n\x0c                  El Paso Intelligence Center (EPIC) Information Systems\n                                  Drug Enforcement Agency\n\nOther Components Involved: Federal Bureau of Investigation\n                           U.S. Marshals Service\n                           Bureau of Prisons\n\n                             EIS Studies, Plans, and Evaluations\n    Document Type                               Title                             Date       Item #\n                           National Drug Seizure System Discussion Paper,\n Market/Other Research                                                           Feb 2004       432\n                           CDX\n                           NDSS Project, Background: NIBRS/UCR Data,\n Market/Other Research                                                          May 2003        427\n                           CDX\n Business Case Study       OMB Exhibit 300 for BY 2007                           Sep 2005           77\n Privacy Impact\n                           Initial Privacy Impact Assessment for EID                          1411\n Assessment\n Risk Management Plan      EIS Risk Impacts, EPIC                                             1408\n Risk Management Plan      Risk Assessment Report, EPIC                         May 2005       417\n                           Risk Management Plan, Open Connectivity\n Risk Management Plan                                                           Aug 2004        429\n                           Project, DEA EPIC, Revised\n Risk Management Plan      Seizure System Risk Assessment Report, EPIC          May 2005      1404\n                           Information Systems Project management Plan,\n Project Plan                                                                    Sep 1991     1405\n                           EPIC\n Security Plan             System Security Plan, ESS                            Aug 2005        420\n Systems Engineering       System Engineering Management Plan, EPIC\n                                                                                 Jun 2004       424\n Management Plan           Open Connectivity Project\n                           Configuration Control Board (CCB) Charter and\n Configuration\n                           Request for Information Technology Services           Feb 2004       425\n Management Plan\n                           (RITS) Policy\n                           Quality Management Plan (QMP), Office of\n Quality Assurance Plan                                                          Sep 2005           83\n                           Information Systems (SI), Version 4.1\n Verification/Validation   Verification and Validation Plan, EPIC Open\n                                                                                 Apr 2004       426\n Plan                      Connectivity Project\n Test Plan                 Development Inspection Logs, EPIC                                  1412\n Test Plan                 Year 2000 Test Plan, EPIC                                          1409\n Training Plan             Training Plan, EPIC Open Connectivity Project         Jun 2004      423\n Contingency/Continuity\n                         Contingency Plan, ESS                                  Mar 2006        422\n Plan\n Test Report             Development Inspection Logs, EPIC                                    1412\n Test Report             Operational Test Report                                 Jan 1993     1410\n\n       EPIC accomplishes its mission in part by manually processing written or telephonic\nrequests for information received from State, local and Federal law enforcement personnel, on\npersons, modes of transportation, organizations, or addresses that are suspected of being engaged\n\n\n                                              108\n\x0cin, or associated with some criminal activity. Watch Officers using a multiple database query\nprocess the requests for information.\n\n        The objective of the Open Connectivity Project is to enable EPIC to provide secure\ninternet access to tactical intelligence information for Federal, State and Local law enforcement\nagencies. The system objective is to streamline access by providing to all EPIC customers a\npoint of entry that permits direct and remote electronic access from the users\xe2\x80\x99 existing IT and\ninternet architecture and provides an automated response to queries. With the Open Connectivity\nProject, EPIC will provide this access for its customers in the form of a secure, Internet\nconnection. Through an EPIC web site, law enforcement officers will access EPIC services,\nwhich will include the multiple source data repository, comprehensive query results, multiple\nformatted reports, and automated analytical support.\n\n\n\n\n                                              109\n\x0c                                          Firebird\n                                  Drug Enforcement Agency\n\n        Firebird is the DEA\'s global computing infrastructure, providing the foundation for the\ncommunications network, the client and server hardware and software, and the DEA\'s complete\noffice automation system to all DEA personnel and contractors. A client-server based network,\nFirebird links DEA offices and components worldwide and supports the full spectrum of DEA\noperations. Firebird enables the DEA\'s investigative case management system, the financial\nmanagement system, and all other Sensitive But Unclassified (SBU) information systems that\nDEA personnel use to support their daily job functions. Firebird also provides the interface for\nall new web-based applications and lays the foundation for improved information sharing with\npartner agencies.\n\n                        Firebird Studies, Plans, and Evaluations\n     Document Type                             Title                               Date       Item #\n                        Firebird Information Technology Support (FITS)\n Market/Other Research                                                           Mar 2004          1379\n                        Market Research Report\n Business Case Study    OMB Exhibit 300 for BY 07                               Sep 2005           1378\n                        Project Management Plan (PMP), Firebird\n Project Plan           Infrastructure Technology Services (FITS),                Jan 2006          129\n                        Version 3.0\n                        Security Operating Procedures Guide, Firebird\n Security Plan                                                                   Mar 2004          1021\n                        (FSOPG), Version 4.0\n Configuration          Configuration Management Plan (CMP), FITS,\n                                                                                  Jan 2006          116\n Management Plan        Version 1.3\n Quality Assurance Plan Quality Assurance Plan, FITS, Version 2.1                 Jan 2005          130\n                        Security Test and Evaluation Plan and\n Test Plan                                                                        Jul 2004          131\n                        Procedures, Appendix E\n                        EOS Software Deployment Function Description,\n Implementation Plan                                                                                118\n                        Version 2.5, not dated\n                        Windows 2003 (W2K3) Implementation Plan,\n Implementation Plan                                                             Jun 2006           139\n                        FITS MDE, Version 1.2\n Contingency/Continuity Windows Server 2003 Infrastructure Disaster\n                                                                                 Jun 2006           141\n Plan                   Recovery Document, FITS, Version 2.1\n                        Test Matrix, Desktop and Server Management\n Test Report                                                                                        137\n                        Evaluation 2005\n Performance            Enterprise Health and Performance Metrics\n                                                                                May 2006            117\n Evaluation             Review\n Performance\n                        Firebird Dashboard                                       Apr 2006           121\n Evaluation\n Performance\n                        SIO Firebird project portfolio                            Jul 2006          132\n Evaluation\n\n\n\n\n                                              110\n\x0c        In 1994 the DEA began replacing its proprietary Wang Office Automation (OA) system\nwith Firebird. The OA system provided personnel with basic office automation software and\naccess to DOJ mainframe systems, but did not allow for electronic case management, or\nelectronic communications and information sharing between DEA offices. The DEA designed\nFirebird based on forward looking enterprise-wide and Federal IT standards, the recognized\nadvantages of a modular architecture, and the need for a flexible system that is maintainable and\nexpandable.\n\n       The Firebird project began spending funds in FY 1994, and entered the\nOperational/Maintenance phase in FY 2003. In May 2003, the DEA completed its initial\ndeployment of Firebird, which supports nearly 16,000 users, over 14,500 workstations, and over\n500 servers in more than 370 locations worldwide.\n\n\n\n\n                                              111\n\x0c                                Model 204 Corporate Systems\n                                 Drug Enforcement Agency\n\nOther Components Involved: Federal Bureau of Investigation\n\n        The DEA performs mainframe data processing activities utilizing Computer Corporation\nof America (CCA) Model 204 database management system software for the development of\napplications for the corporate mission and administrative databases. These Model 204 Corporate\nSystems applications or subsystems provide the capability for DEA personnel to acquire\ninformation relating to drug related activities and cases. The applications also provide a method\nto track administrative information relating to DEA equipment and personnel.\n\n                             M204 Studies, Plans, and Evaluations\n    Document Type                                 Title                            Date       Item #\n Business Case Study       OMB Exhibit 300 for BY 2007                            Jul 2005         80\n                           Project Management Plan (PMP), Events Activity\n Project Plan              Subsystem (EVENTS), Calendar Year 2004,               Jun 2004           82\n                           Version 1.0\n                           Systems Security Authorization Agreement\n Security Plan                                                                  Nov 2004            85\n                           (SSAA), Model 204 Corporate Systems (M204)\n                           Project Level Configuration Management Plan,\n Configuration\n                           Events Activity Subsystem (EVENTS), Version           Jun 2004           81\n Management Plan\n                           1.0\n                           Quality Management Plan (QMP), Office of\n Quality Assurance Plan                                                          Sep 2005           83\n                           Information Systems (SI), Version 4.1\n                           Independent Verification and Validation (IV&V)\n Verification/Validation\n                           Software Testing Procedure for Mainframe              Jun 2004           79\n Plan\n                           Environment, Version 2.0\n                           ST & E Plans and Procedures, Appendix E,\n Test Plan                                                                                      1420\n                           Model 204 Corporate Systems\n                           Certification Results, Appendix F, Model 204\n Test Report                                                                                    1421\n                           Corporate Systems\n\n         The M204 system includes approximately 32 core investigative and administrative\napplications that support DEA\'s mission, strategic goals, and objectives as well as serving the\nspecific needs of external DEA partners. Several of the legacy applications now running in the\nM204 environment are scheduled for replacement through a number of modernization initiatives.\nTo enhance the usability and simplify access to M204 applications until the modernization\ninitiatives deploy viable solutions, DEA has acquired and is implementing JANUS Web Server\nto provide browser based access to selected M204 applications. JANUS will replace the\nmainframe "green screen" with user friendly drop down menus, data entry validation and\nnavigation features.\n\n       The M204 project began spending funds in FY 1980, and is in the\noperational/maintenance phase of the DEA SDLC.\n\n                                              112\n\x0c                                           Merlin\n                                   Drug Enforcement Agency\n\n        Merlin provides DEA offices with the capability to transmit, access, and share classified\nintelligence data over the existing classified telecommunications networks that service the\nDEA\xe2\x80\x99s domestic and foreign offices.\n\n        The Merlin system provides the end-users workstations and the necessary enterprise and\nsite-level servers to run Active Directory services, mail services, local file services, and a Merlin\nWeb site. The Merlin system provides the end users with a complement of commercial\napplications such as Microsoft Office, i2\xe2\x80\x99s Analyst\xe2\x80\x99s Notebook, and ArcView. It also provides\nthe users access to DEA custom applications that use a browser (Internet Explorer) interface.\n\n                             Merlin Studies, Plans, and Evaluations\n    Document Type                                  Title                              Date       Item #\n Business Case Study        OMB Exhibit 300 for BY 2007                                             271\n                            Risk Assessment Report, DEA Classified\n Risk Management Plan\n                            Infrastructure Support System                           May 2005        261\n Project Plan               Merlin Program Plan, Version 2                          Jun 2006        268\n                            System Security Authorization Agreement\n Security Plan\n                            (SSAA), DCISS                                           Aug 2003        272\n Configuration              Configuration Management Plan for the Merlin\n Management Plan            Project                                                  Sep 2006      1431\n                            Quality Management Plan (QMP), Office of\n Quality Assurance Plan\n                            Information Systems (SI), Version 4.1                   Sep 2005         83\n Quality Assurance Plan     Merlin Quality Assurance Plan                           Feb 2005       1432\n Test Plan                  Security Test & Evaluation Plan and Procedures          Aug 2003       1384\n Contingency/Continuity\n                        Contingency Plan for the DEA Merlin Program\n Plan                                                                               Jun 2006        259\n Test Report            Certification Results                                       Aug 2003       1385\n                        COOP Test Report using VERITAS Replication\n Test Report\n                        EXEC 3.1                                                    Mar 2006        260\n                        System Security Authorization Agreement\n Test Report\n                        (SSAA), DCISS                                               Aug 2003        272\n Performance            Earned Value Management (EVM) Merlin, Doc\n Evaluation             #12-35-41-55                                                 Jul 2006       262\n Performance\n                        Merlin Dashboard - May\n Evaluation                                                                          Jun 2006       264\n\n\n\n\n                                                113\n\x0c          Organized Crime Drug Enforcement Task Force Fusion Center System\n                        Office of the Deputy Attorney General\n\nOther Components Involved: Executive Office for the U.S. Attorneys\n                                  Bureau of Alcohol, Tobacco, Firearms, and Explosives\n                                  U.S. Marshals Service\n                                  Federal Bureau of Investigation\n                                  Criminal Division\n                                  Tax Division\n\n        The mission of the OCDETF Fusion Center (OFC) is to fuse data from multiple disparate\nsources and extract previously unidentified relationships and knowledge from the fused data\nrelating to persons and organizations. The OFC will support the OCDETF intelligence and\ninvestigative activities task force with a fused database comprised of information from its\nmember agencies. The Fusion Center System is a web based application that will be used by the\nOFC analysts and agents to search on information contained within this fused database.\nOCDETF began spending funds on the Fusion center system in FY 2003.\n\n                           OFC Studies, Plans, and Evaluations\n    Document Type                              Title                           Date      Item #\n                          Comparative Analysis of the FBIs SCOPE and\n Market/Other Research\n                          DEAs NEDRS Systems                                  Feb 2003     1377\n                          Comparative Analysis of the FBI\'s SCOPE and\n Market/Other Research\n                          FTTTF                                              Apr 2003      1372\n                          Draft Comparative Analysis of OCDETF\n Market/Other Research    Requirements with Existing DOJ Data\n                          Warehousing Efforts                                Apr 2003      1371\n Market/Other Research    Third Party Tool Recommendations                   Jun 2005      1369\n Business Case Study      OMB Exhibit 300 for BY 2006                        Sep 2004       316\n Privacy Impact\n                          Privacy Impact Assessment, OFC (Draft)\n Assessment                                                                  Aug 2004       320\n Risk Management Plan     Risk and Issue Management Master Plan              Jun 2005       328\n                          Justification for Other than Full and Open\n Acquisition Plan\n                          Competition                                        May 2004       306\n Project Plan             Project Management Plan, OFC Deployment            Sep 2005       321\n Project Plan             Project Plan, Software Version 1.0, OFC            May 2006       322\n Security Plan            System Security Plan, OFC Compass                                 334\n                          Quality Management Plan (QMP), Office of\n Quality Assurance Plan\n                          Information Systems (SI), Version 4.1               Sep 2005       83\n Test Plan                System Test Plan, OFC, Version 1.2                  Jan 2006      335\n Training Plan            Compass Training Plan, OFC, Version 1.0             Sep 2005      289\n Contingency/Continuity\n                        IT Contingency Plan, IRSS, Version 2.2\n Plan                                                                        Mar 2005       305\n Test Report            System Test Plan, OFC, Version 1.2                   Jan 2006       335\n\n\n                                            114\n\x0c                                           eWorld\n                          Executive Office for Immigration Review\n\n         The Executive Office for Immigration Review\'s (EOIR) eWorld project began spending\nfunds in FY 2002 and is the agency\'s primary initiative in its capital planning and investment\ncontrol process. In this multi-year, multi-phased, multi-disciplinary project, EOIR will make the\ntransition from paper to electronic documents for its official adjudication records spanning from\ninitial filing through final appellate decisions.\n\n                            eWorld Studies, Plans, and Evaluations\n    Document Type                                 Title                           Date       Item #\n                           Market Survey, EOIR, Digital Audio Recording\n Market/Other Research                                                           Apr 2006       854\n                           Project, Version 0.16 (Draft)\n Business Case Study       OMB Exhibit 300 for BY 2007                           Jan 2006       112\n Privacy Impact            Privacy Impact Assessment, Executive Office for\n                                                                                 Apr 2006       860\n Assessment                Immigration Review\n Project Plan              Project Management Plan, CASE Court Pilot             Apr 2006       851\n                           Project Management Plan, Digital Audio\n Project Plan                                                                   May 2006        852\n                           Recording Project, Version 0.05\n                           System Security Plan (SSP) for JCON-II/CASE,\n Security Plan                                                                   Mar 2006       863\n                           EOIR\n Configuration\n                           Configuration Management Plan, EOIR                   Mar 2006       856\n Management Plan\n Configuration             Configuration Management Plan, eWorld,\n                                                                                 Feb 2006       857\n Management Plan           Version 1.0 (Draft)\n Contingency/Continuity    IT Contingency Plan, EOIR, JCON-II/CASE,\n                                                                                 Nov 2005       855\n Plan                      Version 2.0\n\n\n\n\n                                              115\n\x0c                         Biometric Reciprocal Identification Gateway\n                              Federal Bureau of Investigation\n\n        The FBI\'s IAFIS is a 10-rolled fingerprint identification system that is used by federal,\nstate, and local law enforcement and authorized non-criminal justice agencies to identify subjects\nwith criminal histories. The DHS IDENT is a 2-flat fingerprint identification system originally\ndeployed by the Immigration and Naturalization Service as a database of criminal and illegal\naliens to assist Border Patrol in identifying aliens who repeatedly attempt illegal border\ncrossings. The DHS utilizes IDENT for search and enrollment purposes when non-US citizens\ntravel to the United States through an authorized port of entry. The Department of State (DOS)\nConsular Posts utilize IDENT for search and enrollment purposes when determining suitability\nfor aliens traveling to the United States. Currently, IAFIS and IDENT are linked through limited\nautomated and manual processes.\n\n                            BRIDG Studies, Plans, and Evaluations\n    Document Type                                Title                             Date      Item #\n                           Full Business Case, IDENT-IAFIS\n Business Case Study                                                              Jan 2006       455\n                           Interoperability, iDSM Project\n Business Case Study       OMB Exhibit 300 for BY 2008                           Aug 2006      1036\n Privacy Impact            Privacy Impact Assessment for the DOJ/FBI-\n                                                                                                 459\n Assessment                DHS Interim Data Sharing Model (iDSM)\n Risk Management Plan      Risk Management Plan, iDSM Project                     Jan 2006       462\n\n       The FBI supports DHS and DOS through daily biographic-based extracts of wants and\nwarrants that have an associated FBI number and Known and Suspected Terrorists. The extract\nprocess, however, does not provide real-time access to current information, includes only a\nsubset of information, and does not allow international, federal, state, and local fingerprint\ncontributors access to all immigration information. Various legislative acts demand that the FBI\nand DHS ensure that the biometric systems are able to seamlessly share data that is complete,\naccurate, current, and timely. Through this interoperability, the criminal and immigration\ninformation will be accessible to and shared among other federal, state, and local law\nenforcement agencies.\n\n       In order to realize interoperability, investment is needed to develop the Biometric\nReciprocal Identification Gateway (BRIDG). BRIDG development is planned in three phases:\ninterim Data Sharing Model (iDSM); Initial Operating Capacity (IOC); and the Full Operating\nCapacity (FOC). In FY 2008, investment is needed to support the operation and maintenance of\nthe iDSM and development of both the IOC and FOC portions of the BRIDG. The BRIDG\ninvestment will allow the creation and maintenance of biometric-based links between the\nbiographic information contained in the IAFIS and IDENT systems, in near real time, as well as\nprovide the infrastructure necessary to exchange data between the systems to ensure that\nbiometric-based immigration and travel history information and criminal history record\ninformation is available to authorized personnel.\n\n\n\n\n                                              116\n\x0c                 Computer Analysis Response Team Storage Area Network\n                            Federal Bureau of Investigation\n\n        In the aftermath of the September 11, 2001 terrorist attacks, the FBI collected digital\nevidence from businesses, personal computers and loose media from across the US. The FBI did\nnot possess a storage/examination/review system that could efficiently and consistently process\nlarge quantities of digital evidence collected from multiple sources. The Computer Analysis\nResponse Team Storage Area Network (CARTSAN) System is a unique state-of-the-art "Digital\nForensic Network" that allows for the efficient forensic processing and review of computer\nevidence. This system was certified and accredited on August 15, 2005. It offers the Computer\nAnalysis Response Team (CART) Examiner and FBI Case Agent a resource that ensures\naccurate and timely handling of computer evidence acquired in support of Criminal, Cyber,\nCounterintelligence and Counterterrorism matters in a forensically secure environment.\n\n                           CARTSAN Studies, Plans, and Evaluations\n     Document Type                              Title                               Date    Item #\n Business Case Study        OMB Exhibit 300 for BY 2008                            Dec 2006   1023\n Privacy Impact\n                            Privacy Impact Assessment, CARTSAN, (Draft)                               446\n Assessment\n Risk Management Plan       Risk Management Plan                                    Jul 2005      447\n Security Plan              System Security Plan, CARTSAN                          Aug 2005       449\n Configuration              Configuration Management Plan, Version 0.1\n                                                                                                  438\n Management Plan            (Draft)\n                            Digital Evidence Laboratory Quality Assurance\n Quality Assurance Plan                                                            Apr 2006           439\n                            Manual Supplement, CART\n Test Plan                  Certification Test Report, CARTSAN                     Aug 2005       436\n Implementation Plan        CARTSAN Review Network Installation Plan               Jun 2005       434\n Test Report                Certification Test Report, CARTSAN                     Aug 2005       436\n Performance\n                            Earned Value Management Worksheet                       Jul 2005      441\n Evaluation\n Performance\n                            Investment Management/Project Review Board             Aug 2005           443\n Evaluation\n\n       Each CARTSAN System has the ability to temporarily store large quantities of digital\ncomputer evidence. This system establishes digital connectivity between the CART forensic\nexamination and review processes, eliminating the need to store forensic examination data on\nmultiple hard drives. The system greatly reduces the time required to process and disseminate\ncomputer related evidence.\n\n       In FY 2006, CART anticipates completing more than 10,000 examinations of computer\nmedia, equating to more than one Petabyte of digital evidence. One Petabyte of information is\nequivalent to 250 billion pages of text; enough to fill 20 million, four-drawer filing cabinets. As\nthe amount of data average businesses collect and store is doubling each year, this amount of\ndata will be what many businesses will be managing within the next 5 years. As this growth\n\n\n                                               117\n\x0coccurs, the FBI is required to expand its capability to process and temporarily store these\nincreasing amounts of data.\n\n       Phase I of the CARTSAN project, initiated in FY 2002 and concluded in FY 2006,\nincluded the design, acquisition, and deployment of CARTSAN Systems to 25 major FBI Field\nOffice and Regional Computer Forensic Laboratories (RCFL) locations. Phase II is scheduled to\nbegin in BY 2007 with the allocation of personnel resources to begin planning for the next\ndeployment of systems. Phase II includes the purchase and deployment of 20 new CARTSAN\nSystems as well as operation, maintenance and upgrade costs for the existing 25 systems.\n\n\n\n\n                                               118\n\x0c                                Combined DNA Index System\n                               Federal Bureau of Investigation\n\n        The Combined DNA Index System (CODIS) is an automated DNA information\nprocessing and telecommunications system that supports the National DNA Index System, State\nDNA Index System, and Local DNA Index System. The concept behind CODIS is to create a\ndatabase of the States\' convicted offender profiles to help solve violent crimes for which there\nare no suspects. CODIS enables Federal, State, and local forensic laboratories to exchange and\ncompare DNA profiles electronically, thereby linking serial violent crimes to each other and to\nknown offenders. CODIS uses two indexes to generate investigative leads in crimes where\nbiological evidence is recovered from the crime scene. The Convicted Offender Index contains\nprofiles of individuals convicted of felony offenses and other crimes. The Forensic Index\ncontains DNA profiles developed from crime scene evidence, such as semen stains or blood.\n\n       This investment began in 1990 and is scheduled to be completed by January 2010.\n\n                         CODIS Studies, Plans, and Evaluations\n     Document Type                            Title                              Date    Item #\n Business Case Study    FY 2008 Full Business Case                              Dec 2005    467\n Privacy Impact         Privacy Impact Assessment, National DNA Index\n                                                                                 Oct 2004          471\n Assessment             System (NDIS) Database\n                        Risk Management Plan, CODIS, Draft\n Risk Management Plan                                                           May 2006           473\n                        Version 01\n                        Single Acquisition Management Plan for the\n Acquisition Plan                                                                Feb 2006          475\n                        Combined DNA Index System\n                        Product Management Plan, CODIS Bridge\n Project Plan                                                                    Sep 2005          472\n                        Contract Extension\n Security Plan          System Security Plan, CODIS                              Jan 2005          476\n Contingency/Continuity Three Part Contingency Plan, CODIS Bridge\n                                                                                 Oct 2005          477\n Plan                   Contract Extension\n\n\n\n\n                                              119\n\x0c                                      Data Centers Unit\n                                Federal Bureau of Investigation\n\n        The Data Centers project began spending funds in FY 2004. The project consists of:\n(1) operations and maintenance of installed computing platforms, data storage devices, and a\nchannel extension network; (2 ) modernization of computing platforms, operating systems, data\nstorage devices, and channel extension; (3) enhancement of existing hardware / software (for\nexample, for storage expansion, greater processing capacity, process improvement, and systems\nintegration); and (4) periodic development for new technology or projects such as robotic tape\nlibraries and channel extension (past) and an enterprise backup solution (future). The mission of\nthe Data Centers Unit is to provide an IT infrastructure and effective, efficient, and timely\ntechnical support that is the foundation for supporting the FBI\'s priorities. The major goal of the\nData Center Unit is to provide continuous, effective automated production workload support and\nbusiness continuity for all FBI investigative and administrative missions.\n\n                          DCU Studies, Plans, and Evaluations\n     Document Type                            Title                                  Date    Item #\n Business Case Study    OMB Exhibit 300 for BY 2008                                 Jul 2005    489\n                        Contribution of the Mainframe to the Bureau\'s\n Project Plan                                                                      Feb 2006       481\n                        Mission, FBI\n Project Plan           Project Plan, Global Mirroring Project                     Dec 2005       490\n                        System Security Plan, FBI, Enterprise Servers,\n Security Plan                                                                     Oct 2004       492\n                        Version 1.2\n Contingency/Continuity Continuity of Operations Plan, FBI, ITOD,\n                                                                                   Jan 2005       480\n Plan                   Operations Section\n Performance            Project Summary Report, ITOD Mainframe\n                                                                                                  491\n Evaluation             System Upgrade\n\n\n\n\n                                               120\n\x0c                                  Digital Collection System\n                               Federal Bureau of Investigation\n\n        The Digital Collection project began spending funds in FY 1997. Digital Collection\nconsists of the DCS-3000, DCS-5000, and DCS-6000, which provide digital collection tools,\nforeign counterintelligence gathering, and law enforcement evidence collection, respectively.\n\n                             DCS Studies, Plans, and Evaluations\n     Document Type                                Title                          Date    Item #\n Business Case Study       OMB Exhibit 300 for BY 2008                          Aug 2006   1024\n Privacy Impact            Privacy Impact Assessment, SPIDERNET and\n                                                                                Aug 2001        510\n Assessment                DIGITAL STORM\n Privacy Impact            Privacy Impact Assessment, Upgrade from\n                                                                                Dec 2005        511\n Assessment                SPIDERNET to Red Wolf\n                           Risk Assessment and Management Plan (RAMP),\n Risk Management Plan      DCS-6000, Systems Security Plan, Appendix L,         May 2006        521\n                           Version 2.0\n                           Project Plan, Digital Collection System, Digital\n Project Plan                                                                   Nov 2004        516\n                           Collection - 05\n                           Project Plan, Digital Collection, Digital\n Project Plan                                                                   Aug 2003        517\n                           Collection - 03\n                           Project Plan, Digital Collection, Digital\n Project Plan                                                                    Jan 2004       518\n                           Collection - 04\n Project Plan              Project Plan, Digital Storm                          Jun 1998        519\n Security Plan             System Security Plan, DCS 3000, Version 2.0          Apr 2006        524\n Security Plan             System Security Plan, DCS-5000, Revision 3.5         Dec 2005        525\n                           System Security Plan, DCS6000 Voice Box III,\n Security Plan                                                                  May 2006        526\n                           Version 3.1\n Test Plan                 Test Plan, Digital Storm, Version 1.0                 Feb 1999       527\n Performance\n                           Project Status Report, DCS-5000                       Jun 2006       520\n Evaluation\n Post-Implementation       Phase Review Report, Phase 1/2, Project Digital\n                                                                                Aug 1998        509\n Evaluation                Storm,\n Post-Implementation       Project Closeout Report, Digital Collection - 04,\n                                                                                 Jul 2005       514\n Evaluation                Version 1.1\n\n         Today\'s information technology capabilities afford terrorists and criminals many avenues\nto coordinate and commit offenses against US citizens and interests. Traditional phones were the\nprimary avenue criminals used to communicate information regarding unlawful acts. Today,\nmore incidents are committed and facilitated by terrorists using high-tech, non traditional\ncommunications methods. Communications methods are dramatically increasing in number and\ncomplexities, resulting in the continual and evolving need for advanced methods of electronic\nsurveillance of voice communications - methods of electronic surveillance have limited-life\nutility in intercepting newer, more secure types of publicly offered communications.\n\n\n                                              121\n\x0c        The expansion of electronic surveillance activity in frequency, sophistication, and\nlinguistic needs continues to increase the level of support required. An important factor behind\nthis expansion is the changing demographic of targets that must be monitored by investigators.\nThe FBI must supply equipment and analytical tools to uniquely qualified language specialists to\nspeed the translation and transcription process to meet the investigators\' needs. Further, the life\nspan of today\'s technology is often much shorter than older technologies, resulting in more\nfrequent need for solution development. Terrorist and criminal activity has expanded across\ninternational boundaries. Current United States-based intercept technologies and collection\ncapabilities are not always sufficient to meet global requirements. Increased coordination and\ncooperation with other government agencies and governments of other countries place are\nneeded.\n\n       Digital collection must continue to clearly define electronic surveillance requirements\nand closely track manufacturers\' approaches and solutions. Collection equipment manufacturers\ncontinue toward complying with technical standards as a result of the Communications\nAssistance to Law Enforcement Act (CALEA). One result of the CALEA standard is more\ninformation is available for collection. This increase in data coupled with the increased\ncomplexity of computer-based electronic surveillance information management systems will\nimpose a requirement for efficient distribution to users and their respective collection systems.\n\n\n\n\n                                               122\n\x0c                      Electronic Surveillance Data Management System\n                               Federal Bureau of Investigation\n\n        The Electronic Surveillance (ELSUR) Data Management System (EDMS) project began\nspending funds in FY 2004. The system ensures the timely and proactive collaboration, analysis,\nand integration of Title III and Foreign Intelligence Surveillance Act (FISA) intelligence and\nevidence collected from lawfully authorized digital intercepts and seizures.\n\n                            EDMS Studies, Plans, and Evaluations\n     Document Type                             Title                             Date    Item #\n Business Case Study       OMB Exhibit 300 for BY 2007                          Sep 2005    540\n Business Case Study       OMB Exhibit 300 for BY 2008                          Aug 2006   1025\n Privacy Impact\n                            Privacy Impact Assessment (PIA), Draft               Sep 2005       529\n Assessment\n Risk Management Plan      Risk Management Plan, EDMS                           Aug 2000        547\n Risk Management Plan      Risk Management Plan, EDMS, Version 3.0                              548\n                           Project Plan, Project EDMS (ELSUR Data\n Project Plan                                                                    Feb 2004       544\n                           Management System)\n                           System Security Plan, EDMS, version EDMS\n Security Plan                                                                   Apr 2004       553\n                           SSP Rev. 2.0\n Configuration\n                           Configuration Management Plan, Revision b             Sep 2005       532\n Management Plan\n Test Plan                 Certification Test Plan                               Apr 2004       531\n                           Test and Evaluation Master Plan, EDMS,\n Test Plan                                                                      Aug 2005        555\n                           Revision A\n                           Target EA and Transition, EDMS Enterprise\n Conversion Plan                                                                 Jan 2005       554\n                           Architecture, Executive Summary, Version 1.0\n Contingency/Continuity\n                           Continuity of Operations Plan                         Apr 2004       533\n Plan\n Performance               EDMS Briefing for the FBI Science and\n                                                                                  Jul 2005      536\n Evaluation                Technology Advisory Board\n Performance\n                           Project Status Report, ELSUR EDMS                     Apr 2006       546\n Evaluation\n Performance\n                           Department Investment Review Board                                   535\n Evaluation\n Performance\n                           Monthly Project Status Reporting                                     543\n Evaluation\n\n        EDMS integrates and consolidates ELSUR products, such as wiretaps, telephone, email,\nand seized media from multiple field collection systems. As ELSUR products are consolidated\ninto EDMS, the system performs multiple functions, including indexing, data minimization (for\nlegal compliance), language translation, data prioritization, and other functions. Most\nimportantly, EDMS provides the capability for agents, translators, and analysts to have increased\naccess to many types of ELSUR data extracted from multiple collection sources to view and\n\n\n                                              123\n\x0canalyze within a single system. This significantly increases the FBI\'s ability to manage, analyze,\nand share ELSUR products and greatly improves the efficiency with which investigators can\ndevelop leads and intelligence through integrating best-of-breed automated and interoperable\ndata analysis capabilities.\n\n        While providing significant tactical value, EDMS cannot continue to support the FBI\'s\ncounterintelligence and counterterrorism mission objectives as it currently exists due to the\nincrease in data collection volume and user base. Since October 2004, EDMS experienced a 300\npercent increase in average users per month. Over the past 3 years, the volume of ELSUR\ncollections has grown over 62 percent for audio wire-taps and over 3,034 percent for digital\ncollections such as email and seized media. The current system is unable to scale and meet these\ngrowing demands. Because of the increased burden, the ability to share ELSUR data and\ncollaborate efficiently with other authorized federal, state, local law enforcement and federal\nintelligence agencies will no longer be feasible unless the proposed enhancements are\nimplemented.\n\n       The budget year 2008 primary objectives are to: provide additional disk capacity to\nsupport current and anticipated storage needs; enhance current system security controls to\nadequately protect data; upgrade interfaces and data loaders to provide for increases in data\nvolume inputs and more efficiently manage data; and acquire additional software licenses and\nprocessors to accommodate anticipated increase in users.\n\n\n\n\n                                              124\n\x0c                            Foreign Terrorist Tracking Task Force\n                               Federal Bureau of Investigation\n\n        In 2001, Homeland Security Presidential Directive-2 established the Foreign Terrorist\nTracking Task Force (FTTTF) to provide actionable intelligence to law enforcement to assist in\nthe location and detention and ultimate removal of terrorists and their supporters from the US.\n\n        In 2005, a White House Memorandum on Strengthening the Ability of the Department of\nJustice to Meet Challenges of the Security of the Nation directed the Attorney General to\nestablish a "National Security Service" and to combine the missions, capabilities, and resources\nof the counterterrorism, counterintelligence, and intelligence elements of the FBI under the\nleadership of a senior FBI official. As a result, the FBI created the National Security Branch.\nThis Branch will enable FBI to meet information sharing Presidential Guidelines and Initiatives\nsuch as the Intelligence Reform and Terrorism Prevention Act of 2004.\n\n                            FTTTF Studies, Plans, and Evaluations\n    Document Type                                 Title                           Date    Item #\n Business Case Study       OMB Exhibit 300 for BY 2008                           Dec 2006   1026\n Risk Management Plan      Risk Management Plan, Guardian, Version 1.0           Apr 2006    565\n                           Project Management Plan (Software\n Project Plan                                                                    Mar 2006         564\n                           Development Plan), Guardian 2.0, Version 9.0\n Systems Engineering       System Engineering Management Plan,\n                                                                                 Mar 2006         567\n Management Plan           Guardian, Draft Version 11.0\n                           Test and Evaluation Master Plan, Guardian,\n Test Plan                                                                       Mar 2006         568\n                           Version 1.0\n Implementation Plan       Installation Plan, Guardian 2, Draft Version 5.0       Apr 2006        561\n\n        In FY 2006, an FBI assessment determined that existing HPSD-2 national security and\ncounterterrorism operations would be enhanced by providing analysis and technology support by\ncapitalizing on FTTTF\'s existing operations in line with FBI\'s Enterprise Architecture. This will\nenable multiple Divisions to consolidate technological and analytical resources to support the\ncombined activities of the counterterrorism, counterintelligence, and intelligence elements of the\nFBI. As part of this mission, the National Security Branch must deliver new analytical\ncapabilities and operational products (such as activity reports, records, and information), real-\ntime to State, local law enforcement, Tribal, FTTTF, National Counterterrorism Center, and\nother agencies. This data warehousing for search and retrieval capability will leverage best\ninformation and querying practices for information sharing through FBI\'s architecture and\nelectronic directory services across domains. These technological solutions will increase the\nefficiency in sharing information with State, local and Tribal law enforcement and make it easier\nfor the FBI to access and analyze the information. This solution supports consolidation of\nresources to combine activities of the counterterrorism, counterintelligence, and intelligence\nelements of the FBI.\n\n       The FTTTF project began spending funds in FY 2005. This FY 2008 justification is\ndesigned to address the core IT strategy of the FTTTF and the National Security Analysis Center\n\n                                              125\n\x0c(NSAC) while providing the framework for integration into the National Security Branch\xe2\x80\x99s\nAnalytical Capabilities Program. This IT enhancement will support the core strategy of the\nNSB.\n\n\n\n\n                                             126\n\x0c                  Integrated Automated Fingerprint Identification System\n                              Federal Bureau of Investigation\n\n        The Integrated Automated Fingerprint Identification System (IAFIS) is a rapid, electronic\nfingerprint identification and criminal history system that responds to law enforcement agencies\nwithin two hours and to authorized civil agencies within 24 hours. Prior to the IAFIS, fingerprint\nidentification was a manual, labor-intensive process which took weeks or months to complete.\nThe IAFIS provides identification, image exchange, and criminal history services to more than\n80,000 law enforcement agencies and qualified civil agencies. The IAFIS is internationally\nrecognized as the biometric system leader and contains the largest fingerprint repository in the\nworld.\n\n                             IAFIS Studies, Plans, and Evaluations\n    Document Type                                 Title                            Date    Item #\n Business Case Study       OMB Exhibit 300 for BY 2008                           Aug 2006    1027\n Security Plan             Operational System Security Plan, AFIS                 Jan 1999    588\n Security Plan             System Security Plan, IAFIS, Version 2.1              Mar 2006     591\n Systems Engineering       Systems Engineering Management Plan,\n                                                                                  Jul 2005      592\n Management Plan           Criminal Justice Information Services Division\n Systems Engineering       Systems Engineering Management Plan, SoSSS,\n                                                                                 Nov 2005       593\n Management Plan           Revision 2.2 Final\n                           Configuration Management Plan, Criminal\n Configuration\n                           Justice Information Services Division,                Aug 2002       582\n Management Plan\n                           Revision1.2\n Quality Assurance Plan    Quality Assurance Plan, CJIS Division                 Mar 2005       589\n Verification/Validation   Independent Verification, Validation & Testing\n                                                                                 Nov 1993       586\n Plan                      (IVV&T) SOW, CJIS Division\n                           Build E System Integration and Test Plan (SITP),\n Test Plan                                                                        Jan 1998      577\n                           IAFIS\n Test Plan                 IAFIS System Acceptance Test Plan, Volume 1          Feb 1999        584\n Conversion Plan           Transition Plan, IAFIS, Second Iteration             Apr 1998        596\n Conversion Plan           Transition Plan, IAFIS, Third Iteration              Oct 1998        597\n Implementation Plan       Build D Installation Plan                            Nov 1997        574\n Implementation Plan       Build E Installation Plan                            Apr 1998        576\n Implementation Plan       Build F Installation Plan                            Mar 1998        579\n Implementation Plan       Build F Installation Plan (CWV Draft 3, as Built)     Jun 2000       580\n Implementation Plan       Early Build C Installation Plan                      May 1997        583\n Training Plan             ITN Training Plan                                      Jul 1999      587\n Training Plan             Training Plan, AFIS                                  Nov 1998        595\n Test Report               Build C Test Report, Volume 1                        Aug 1997        573\n Test Report               Build D Test Report, Volume 1                        Dec 1997        575\n Test Report               Build E Test Report, Volume 2                        May 1998        578\n Test Report               Build F1 Test Report, Volume 1                       May 1999        581\n Test Report               IAFIS System Acceptance Test Report                  Aug 1999        585\n\n\n                                              127\n\x0c        The IAFIS was deployed in July 1999 based on 12-year old technology. The IAFIS is\noperating satisfactorily at this time; however, due to increased demand for new and existing\nservices continual upgrades are necessary. Workload projections for FY 2008 are expected to\nexceed 168,000 fingerprint submissions per day. The current IAFIS design capacity is 170,000\nper day. The following IAFIS enhancements are planned for FY 2008: (1) additional system\ncapacity due to increased fingerprint submissions; (2) additional system capacity related to\nprocessing of flat fingerprint submissions in support of the Department of Homeland Security\'\nneed to expedite fingerprint processing at Ports of Entry; and (3) the automation manual\nprocesses related to update of criminal history records to streamline and improve existing\nservices and offer new services. Additionally, four regularly scheduled IAFIS Builds occur each\nyear for defect correction and system enhancements. Requests for change to the IAFIS baseline\nmay be initiated internally or externally at the request of contributing agencies.\n\n       Congressional mandates, such as, the USA PATRIOT Act of 2001, the Enhanced Border\nSecurity and Visa Entry Reform Act of 2001, the DOJ Entry/Exit Border Security Proposal,\npropose new applications for the fingerprint-based identification services provided by the FBI\'s\nIAFIS. To achieve the goals outlined in these Acts and Proposals, enhancements to existing\nIAFIS functions and the development of new IAFIS related capabilities are required.\n\n\n\n\n                                              128\n\x0c                          Information Assurance Technology Infusion\n                                Federal Bureau of Investigation\n\n                             IATI Studies, Plans, and Evaluations\n    Document Type                                Title                       Date      Item #\n                           Feasibility Study, IATI Program, CARA,\n Business Case Study                                                        Mar 2005      605\n                           Version 1.0\n Business Case Study       OMB Exhibit 300 for FY 2008                      Mar 2006      612\n Privacy Impact\n                           Privacy Impact Assessment, CARA                  Apr 2006      613\n Assessment\n                           Risk Management Plan (RMP), Technology\n Risk Management Plan                                                       Nov 2003      616\n                           Infusion Program, Version .8\n                           Program Management Plan, Technology Infusion\n Project Plan                                                               Nov 2003      614\n                           Program, Volume I, Version .19\n                           Security Attachment to the FBI System Security\n Security Plan                                                              May 2006      619\n                           Plan (SSP), IATI Program, IODM, Version 2.0\n                           System Security Plan (SSP), IATI Program,\n Security Plan                                                              May 2006      623\n                           CARA, Version 6.0\n                           System Security Plan (SSP), IATI, SSIAC, SAE,\n Security Plan                                                              Mar 2006      624\n                           Version 7.0\n Systems Engineering       System Engineering Master Plan, IATI Program,\n                                                                            May 2004      621\n Management Plan           Version 1.0\n                           Configuration Management Plan (CMP),\n Configuration\n                           Technology Infusion Program (TI), Volume 1,      Nov 2003      602\n Management Plan\n                           Version 0.5\n                           Quality Assurance Plan (QAP), IATI, Volume 1,\n Quality Assurance Plan                                                     Nov 2003      615\n                           Version .9\n                           System Test Plan, IATI Program, CARA,\n Test Plan                                                                  Jan 2006      625\n                           Version 3.0\n                           Test and Evaluation Master Plan (TEMP), IATI,\n Test Plan                                                                  Apr 2004      626\n                           Draft\n Test Plan                 Test Plan, IATI Program, IODM, Version 3.0       May 2006      627\n                           Transition Plan, IATI Program, CARA,\n Conversion Plan                                                            May 2006      629\n                           Version 1.0\n                           Installation Plan, IATI Program, IODM,\n Implementation Plan                                                        May 2006      608\n                           Version 2.0\n                           System Installation Plan, IATI Program, CARA,\n Implementation Plan                                                        May 2006      622\n                           Version 3.0\n                           Training Plan, IATI Program, CARA,\n Training Plan                                                              Apr 2006      628\n                           Version 2.0\n\n       The Information Assurance Technology Infusion (IATI) Program was initiated and began\nspending funds in FY 2005; the system implementation was completed in FY 2006. IATI is a\nSecurity Division initiative to design, develop, assess, and implement security technology\n\n\n                                            129\n\x0csafeguards in the FBI\xe2\x80\x99s IT enterprise to mitigate risks to and reduce vulnerabilities of the\nBureau\xe2\x80\x99s most critical information assets. IATI provides resources for research, evaluation,\ndesign, development, implementation, and operations and maintenance of IT security solutions\nthat enhance the security for the Federal Bureau of Investigation\xe2\x80\x99s 340 plus information systems.\nMany of these systems directly enable the information sharing requirements for Intelligence,\nCounterterrorism, and operational missions.\n\n\n\n\n                                              130\n\x0c                                Investigative Data Warehouse\n                               Federal Bureau of Investigation\n\n        The FBI\xe2\x80\x99s Investigative Data Warehouse (IDW) began spending funds in FY 2002, and\nsystem implementation was completed in FY 2005. The IDW system provides data storage,\ndatabase management, search, information presentation, and security services allowing FBI\ninvestigative and analytical personnel to access aggregated data previously only available\nthrough individual applications. The IDW system is the successor to the Secure Collaboration\nOperational Prototype Environment (SCOPE), which originally was named the Secure Counter-\nterrorism Operational Prototype Environment.\n\n        The IDW receives, stores, processes data in a heterogeneous computing environment of\nUNIX and Windows Servers. Data processing is conducted by a combination of Commercial-\nOff-the-Shelf (COTS) applications, interpreted scripts, and open-source software applications.\nData storage is provided by several Oracle Relational Database Management Systems (DBMS)\nand in proprietary data formats. Physical storage is contained in Network Attached Storage\n(NAS) devices and component hard disks. Ethernet switches provide connectivity between\ncomponents and to FBI LAN/WAN. An integrated firewall appliance in the switch provides\nnetwork filtering.\n\n       Users of the system are FBI investigative, analytical, and intelligence personnel. These\npersonnel are both FBI employees and contractors. Administrators of the system are FBI IDW\nprogram contractors. Users are permitted to access the system from FBI accredited facilities in\nthe United States of America. IDW is not available to FBI Legal Attach\xc3\xa9 offices.\n\n                             IDW Studies, Plans, and Evaluations\n     Document Type                               Title                           Date    Item #\n Risk Management Plan      Risk Management Plan, IDW, Version 1.0               Feb 2005    631\n Security Plan             System Security Plan, IDW, Version 2.0               May 2006    633\n Conversion Plan           Transition and Deployment Plan, IDW                  Jun 2004    636\n Training Plan             Training Management Plan, IDW                        Jun 2004    635\n                           Test & Evaluation Test Analysis Report\n Test Report                                                                      Jul 2004        634\n                           (TETAR) for IDW, Version 1.1\n\n\n\n\n                                              131\n\x0c                                   Law Enforcement Online\n                                Federal Bureau of Investigation\n\n         LEO is a 24-hours-a-day, 7-days-a-week, on-line, controlled-access communications and\ninformation-sharing data repository. It provides an Internet-accessible focal point for electronic\nSensitive But Unclassified (SBU) communications and information sharing for the federal, state,\nlocal and tribal law enforcement agencies. LEO also supports anti-terrorism, intelligence, law\nenforcement, criminal justice, and public safety communities nationwide. User anywhere in the\nworld can communicate securely using LEO. LEO is accessed by vetted and authorized entities\nusing industry-standard personal computers equipped with any standard Internet browser\nsoftware. LEO currently supports a user base of over 40,000 individuals, who access LEO either\nvia the Internet, dialup, or other dedicated connections. In addition to the current LEO user base,\nthere are 17,000 potential Regional Information Sharing Systems (RISS) users who may have the\nability to access LEO. LEO operates as SBU network under the Computer Security and Privacy\nActs. In summary, LEO provides a mechanism for law enforcement entities to share data\ninternally and externally.\n\n                             LEO Studies, Plans, and Evaluations\n    Document Type                                Title                              Date      Item #\n Business Case Study       OMB Exhibit 300 for BY 2008, CEI                                     1017\n                           Implementation Plan for the LEO System\n Project Plan              Relocation of Primary Operations to the CJIS          May 2006        643\n                           Division\n                           Project Management Plan, LEO, Relocation and\n Project Plan                                                                      Jun 2006      653\n                           Reengineering Project\n                           FBI LEO System Security Plan, dated\n Security Plan                                                                     Jun 2006      642\n                           9 June 2006\n Configuration             LEO Configuration Management (CM)\n                                                                                   Jun 2004      647\n Management Plan           Processes, dated 21 June 2004\n                           System Test Plan, LEO System Relocation of\n Test Plan                 Primary Operations to the CJIS Division (Final          Jun 2006      657\n                           Draft)\n                           Transition Plan, LEO System Relocation of\n Conversion Plan           Primary Operations to the CJIS Division (Final          Jun 2006      659\n                           Draft)\n                           Installation Plan, LEO System Relocation of\n Implementation Plan       Primary Operations to the CJIS Division (Final         Dec 2005       644\n                           Draft)\n Contingency/Continuity\n                        IT Contingency Plan, LEO, Version 1.0 (Draft)            May 2006        645\n Plan\n\n\n\n\n                                               132\n\x0c                             National Crime Information Center\n                              Federal Bureau of Investigation\n\n        The National Crime Information Center (NCIC) is a computerized criminal justice\ninformation system available 24 hours a day, 365 days a year. NCIC is accessed by over 6\nmillion Federal, State, and Tribal entities, including the Department of Homeland Security and\nthe Department of Defense. The NCIC database consists of 18 files, including seven property\nfiles and eleven person files.\n\n                             NCIC Studies, Plans, and Evaluations\n    Document Type                                Title                           Date    Item #\n Business Case Study       OMB Exhibit 300 for BY 2008                          Aug 2006   1028\n                           Risk Management Plan for NCIC 2000, \\Revision\n Risk Management Plan                                                           Feb 1996         684\n                           2\n                           Plan for Early Delivery of the FMS Subsystem,\n Project Plan                                                                   Apr 1997         682\n                           NCIC 2000 Program\n Security Plan             System Security Plan (SSP), NCIC                      Jul 2006        688\n Systems Engineering       System Engineering Management Plan for\n                                                                               May 1996          687\n Management Plan           NCIC 2000\n Configuration             Configuration and Data Management Plan for\n                                                                                Feb 1998         669\n Management Plan           NCIC 2000\n                           Maintainability Test Plan and Procedure for\n Test Plan                                                                     May 1999          675\n                           NCIC 2000\n Test Plan                 Maintainability Test Plan for NCIC 2000              Feb 1994         676\n                           Successive Level Integration Test Plan for\n Test Plan                                                                       Jul 1996        686\n                           NCIC 2000\n Test Plan                 Test and Evaluation Master Plan for NCIC 2000        Mar 1996         690\n                           Preliminary Transition Plan for NCIC,Volume I\n Conversion Plan                                                                Apr 1997         693\n                           of VII, Transition Overview\n Conversion Plan           Transition Plan for NCIC 2000                        Aug 1998         691\n                           Facility Requirements and Installation Plan for\n Implementation Plan                                                             Jul 1998        670\n                           NCIC 2000\n                           Personnel Requirements and Training Plan for\n Training Plan                                                                  Nov 1998         681\n                           NCIC\n                            External Interface Checkout Test Report for\n Test Report                                                                   May 1999          665\n                           NCIC 2000\n                           Fingerprint Matching Subsystem Beta Test\n Test Report                                                                   May 1999          672\n                           Report, NCIC 2000\n Test Report               FMS Reintegration Test Report for NCIC 2000          Mar 1999         673\n Test Report               Maintainability Test Report for NCIC 2000            Jun 1999         677\n                           NCIC 2000 Security Certification and Testing\n Test Report                                                                     Jul 1999        678\n                           Analysis\n\n\n\n\n                                             133\n\x0c        NCIC also contains the Originating Agency Identifier (ORI) file. The NCIC ORI File\ncontains contact information, such as the agency\'s address and telephone number, for agencies\nthat have an ORI. The NCIC may also be used to search and retrieve the criminal history records\nof 50 subjects.\n\n        The NCIC is considered a Sensitive But Unclassified system and is subject to all DOJ\nand FBI policy, standards and practices governing the collection and dissemination of SBU data.\nAccess to the NCIC system is controlled at the agency level by ORI. Authorized users are\nauthenticated by user ID and password. Users are also required to be trained and tested on NCIC\npolicy and practices.\n\n        The NCIC is an invaluable tool that aids law enforcement and criminal justice agency\nofficials in the successful completion of their day-to-day operations and protect the United States\nfrom terrorist attack. The Terrorist Screening Center enters terrorist information in the Violent\nGang and Terrorist Organization File (VGTOF) and maintains the documentation to support the\nterrorist watch-list. Additionally, the National Counterterrorism Center, the Joint Terrorism Task\nForces, and the Field Intelligence Groups have electronic access to NCIC through their\nrespective CJIS System Agency. Federal, State, local and tribal entities may search and retrieve\nVGTOF, and other person records, electronically by name, and a unique numeric identifier such\nas date of birth. Records may also be obtained as a result of a query of the Wanted Person File\nand Stolen Vehicle File. Finally, NCIC will send a notification to the Terrorist Screening Center\nwhenever a fingerprint search results in a hit on a VGTOF record.\n\n       NCIC is in the operations and maintenance phase of the Life Cycle Management\nDirective. In FY 2008, the FBI CJIS Division will continue to upgrade hardware that has\nreached the end of its life-cycle and add new services such as an enhanced ad hoc search\ncapability.\n\n\n\n\n                                               134\n\x0c                          Law Enforcement National Data Exchange\n                              Federal Bureau of Investigation\n\n        Information sharing is mission critical to today\'s public safety mandate. Most law\nenforcement agencies (LEAs) utilize some type of computerized data base to collect incident and\ninvestigative information. Moving this data across jurisdictional boundaries into the hands of\nthose who need to know is a significant challenge. The Law Enforcement National Data\nExchange (N-DEx) concept is to take the data provided by LEAs and criminal justice agencies\nand convert it into valuable information to fight crime and terrorism. N-DEx services extract\nspecific information on people, places, things, the relationship between them, as well as crime\ncharacteristics such as MO\'s and criminal signatures.\n\n        N-DEx will: (1) share complete, accurate, timely and useful criminal justice information\nacross jurisdictional boundaries and provide new investigative tools that enhance the United\nStates\xe2\x80\x99 ability to fight crime and terrorism; (2) provide fusion centers, the National\nCounterterrorism Center, Field Intelligence Groups, Joint Terrorism Task Force, and other\nagencies with access to N-DEx capabilities and services; (3) check all new suspects entered into\nthe system against terrorist watch lists or notify/alert users of addresses that are known to be\nassociated with other suspected terrorists; (4) provide the capability to share sensitive\ninvestigative information while simultaneously protecting the investigative equities of\nproprietary information; (5) provide an electronic catalog of structured criminal justice\ninformation that provides a single point of discovery to assist in locating terrorism information\nand people with relevant knowledge about that information; (6) leverage its national connectivity\nenvironment to create a directory of LEAs and users to facilitate new methods of law\nenforcement collaboration relevant to cases, investigations, or discovered data describing\nterrorist activity; and (7) provide advance search capabilities to discover information when there\nis a lack of key information for conducting a typical query search. N-DEx will provide insights\ninto previously unknown terrorist activity through automated discovery of patterns and linkages\nto detect and deter crime and terrorism.\n\n                            N-DEx Studies, Plans, and Evaluations\n     Document Type                             Title                              Date        Item #\n Business Case Study       OMB Exhibit 300 for BY 2008                           Dec 2006        1029\n Privacy Impact\n                           Privacy Impact Assessment, N-Dex                      Mar 2006        1386\n Assessment\n                           Risk Management Plan, Law Enforcement\n Risk Management Plan                                                            Aug 2006            700\n                           N-DEx, Version 1.4\n Project Plan              Program Plan, Law Enforcement N-Dex                    Jul 2006           699\n                           System Security Plan Attachment H - Risk\n Security Plan                                                                    Jun 2004           702\n                           Assessment, N-Dex Prototype, Version 1.1\n Test Plan                 Certification Test Plan, N-DEx                         Oct 2004           694\n\n\n\n\n                                              135\n\x0c                                 Next Generation Identification\n                                 Federal Bureau of Investigation\n\n        The Next Generation Identification (NGI) project began spending funds in FY 2005. The\nproject will be a major upgrade to the current Integrated Automated Fingerprint Identification\nSystem (IAFIS) that will provide new functionality, as well as improve upon current\nfunctionality. The NGI was included in a previous IAFIS OMB 300 submission because it is a\nmajor upgrade to the existing IAFIS. In 2005, the NGI was separated from the IAFIS exhibit\n300 for management control purposes based on guidance from the FBI\'s Office of the Chief\nInformation Officer.\n\n                              NGI Studies, Plans, and Evaluations\n     Document Type                               Title                               Date    Item #\n Business Case Study        OMB Exhibit 300 for BY 2008                             Aug 2006   1030\n Privacy Impact             PIA, Advanced Fingerprint Identification\n                                                                                                    719\n Assessment                 Technology (AFIT)\n Privacy Impact\n                            PIA, Enhanced IAFIS Repository                                          720\n Assessment\n Privacy Impact\n                            PIA, Interstate Photo System (IPS)                                      721\n Assessment\n Privacy Impact\n                            PIA, National Palm Print System (NPPS)                                  722\n Assessment\n Risk Management Plan       Risk Management Plan, NGI                               Nov 2005        729\n Project Plan               Project Management Plan, NGI, Version 1.0                Jan 2006       726\n Configuration\n                            Configuration Management Plan, NGI                       Apr 2006       709\n Management Plan\n Quality Assurance Plan     Quality Assurance Plan, NGI                             May 2006        727\n Performance\n                            Investment Management/Project Review Board               Feb 2006       713\n Evaluation\n Performance\n                            Program Management Review                               May 2006        725\n Evaluation\n\n         The NGI Program is a compilation of initiatives that will either improve or expand\nexisting biometric identification services. The NGI Program will accommodate increased\ninformation processing and sharing demands in support of anti-terrorism. As a result of the NGI\ninitiatives, the FBI will be able to provide services to enhance interoperability between\nstakeholders at all levels of government, including local, state, federal, and international partners.\nThis will accommodate the increasing need for pre-employment background checks, licenses,\nand will support the increase in border patrol and entry/exit checks. The NGI will allow the FBI\nto: establish a terrorist fingerprint identification system that is compatible with other systems;\nincrease the accessibility and number of the IAFIS terrorist fingerprint records; and provide\nlatent palm print search capabilities.\n\n       The NGI Study Contract was awarded to Intellidyne, L.L.C. on July 1, 2005. Intellidyne,\nL.L.C. and CJIS NGI representatives jointly participated in User Requirements Canvasses which\n\n                                                136\n\x0cincluded onsite interviews, telephonic interviews and written surveys resulting in the\nidentification of over 1,000 new requirements, including high-priority, specialized requirements\nin the Latent Services, Facial Recognition, and Multi-modal Biometrics areas.\n\n\n\n\n                                              137\n\x0c                   National Instant Criminal Background Check System\n                              Federal Bureau of Investigation\n\n        The National Instant Criminal Background Check System (NICS) prevents the transfer of\na firearm to persons who are prohibited from possessing or receiving a firearm while allowing\nthe timely transfer to those individuals that are not prohibited. Title 18, Section 922 of the\nUnited States Code defines who is prohibited from shipping, transporting, possessing, or\nreceiving any firearm or ammunition in or affecting commerce. The NICS was created through\nthe collaborative efforts of the FBI; the Bureau of Alcohol, Tobacco, Firearms and Explosives;\nthe Department of Justice; local, state, and other federal law enforcement agencies; and private\ncontractor support.\n\n                             NICS Studies, Plans, and Evaluations\n    Document Type                                 Title                         Date    Item #\n Business Case Study       OMB Exhibit 300 for BY 2008                         Dec 2006   1031\n Security Plan             System Security Plan, NICS/ FBI                     May 1998    746\n Configuration             Configuration Management Plan, CJIS Division,\n Management Plan           Revision 1.2                                        Aug 2002        732\n Quality Assurance Plan    Quality Assurance Plan, CJIS Division               Mar 2005        743\n                           Certification Test Plan, NICS/E-Checks/NICS\n Test Plan\n                           Call Center                                          Sep 2005       730\n Test Plan                 Formal Qualification Test Plan, NICS                  Jul 1998      737\n                           System Test Plan, NICS Efficiency Upgrade\n Test Plan\n                           Project, Draft                                       Jun 2003       747\n Conversion Plan           NICS Rehost Transition Plan                         May 2004        742\n Conversion Plan           Transition Plan NICS Efficiency Upgrade Project     Oct 2003        749\n Implementation Plan       Installation Plan, NICS                              Jun 1998       740\n Implementation Plan       NICS Efficiency Upgrade Installation Plan, Draft    Sep 2003        741\n                           Superdome System Administration and\n Implementation Plan\n                           Installation Cookbook, NICS [Rehost]                  Jul 2005      745\n                           Windows 2003 Server Installation Cookbook,\n Implementation Plan\n                           NICS, Revision 3.0 [Efficiency Upgrade]              Mar 2006       750\n Contingency/Continuity\n                        Contingency Plan, NICS\n Plan                                                                           Dec 2001       733\n Contingency/Continuity\n                        Contingency Plan, NICS and E-Check\n Plan                                                                           Sep 2005       735\n Test Report            Formal Qualification Test Report, NICS                  Oct 1998       739\n\n        The NICS Regulation, Title 28, Code of Federal Regulations, Part 25, Subpart A requires\nthe NICS to provide Federal Firearms Licensees (FFL) with an immediate response regarding the\nperson for whom the receipt of a firearm would violate the Code. Additionally, if the initial\nresponse is a "delay," the NICS is required to provide the FFLs with a "proceed" or "deny"\nresponse within three business days. The NICS Regulation provides the states with the option to\nact as a point of contact (POC) for NICS transactions and allows the FBI to serve as the POC in\n\n\n                                             138\n\x0cthose states that have chosen not to perform the checks. There are currently 13 full POC\nstates/territories, eight partial POC state/territories, and 35 non-POC state/territories.\n\n        The NICS Regulation required development of other electronic means of contact as an\nalternative to the telephone. Therefore, the NICS E-Check was developed. This function\nenables the FFLs to initiate an unassisted NICS background check for firearm transfers via the\nInternet. When the FFLs conduct a NICS check, a name search is conducted for matching\nrecords in the following three databases: (1) the National Crime Information Center, which\ncontains information on wanted persons; (2) the Interstate Identification Index, which contains\ncriminal history records; and (3) the NICS Index, which contains the names of prohibited\npersons as outlined in the Brady Act.\n\n        During FYs 2006 and 2007, the NICS will undergo an extensive Business Process\nRe-design study to seek opportunities to improve the NICS services. FY 2008 funding will be\nused to finalize the results of the study, provide project management and business case support\nand conduct requirements development efforts.\n\n\n\n\n                                               139\n\x0c           Multi-Agency Information Sharing Initiative Regional Data Exchange\n                             Federal Bureau of Investigation\n\n        The Multi-Agency Information Sharing Initiative (MISI) Regional Data Exchange\n(R-DEx) project began spending funds in FY 2005. The R-DEx is designed to provide the\ncapability to share full text investigative information from federal, state, and local investigative\nagencies. R-DEx will provide searching, link analysis, and geo-spatial capabilities to aid\ninvestigators, analysts, and managers in analyzing criminal activity. It will facilitate the\nelimination of suspects, setting leads, and establishing linkages in cases that wouldn\'t otherwise\noccur. R-DEx is being developed in four phases. Phase I was the development of the concept of\nOperations, System Requirements Document, and Tool Suite that meets those requirements.\nPhase II was the implementation of the system as an operational prototype in St. Louis,\nSan Diego, and Seattle. Phase III was the implementation of up to ten additional sites.\n\n        The DOJ Law Enforcement Information Sharing Program (LEISP) strategy facilities\nimproved capabilities for law enforcement agencies to collaborate across agency, jurisdictional\nand geographic boundaries making that information available for use by all law enforcement\nagents. R-DEX fits into the LEISP data fusion category by co-mingling data on a regional level.\nR-DEX will provide for the collections and sharing of regional data between federal, state, local\nand tribal law enforcement agencies, regional FBI sites, and other federal law enforcement\nagencies. R-DEX development and deployment for Phase III will be coordinated with the\nDOJ/OCIO to ensure that development as a part of the FBI Information Sharing Initiative,\ndesigned to facilitate the sharing of information at the federal, state, and local levels, which\nprovides an integrated approach to the development or upgrade of systems designed to share\ninvestigative information by providing powerful analytical tools for analyzing integrated datasets\nand making the information available to users at all levels of government. LEISP will: leverage\nexisting system capabilities, architectural components, and business services where plausible;\nredirect the management and execution of projects where performance failures or weaknesses\nhave been identified; and result in the development of a single enterprise wide information\nsharing architecture for the Department. LEISP is the critical DOJ-wide initiative to facilitate\nthe sharing of what law enforcement knows about terrorism, criminal activity and threats to\npublic safety.\n\n                             R-DEx Studies, Plans, and Evaluations\n    Document Type                                  Title                            Date    Item #\n Business Case Study        OMB Exhibit 300 for BY 2008                            Dec 2006   1032\n                            Risk Assessment and Risk Management Matrix\n Risk Management Plan                                                               Jul 2005       662\n                            (RMM), RDEX, Version 1.0\n                            System Security Plan, FBI Regional Data\n Security Plan                                                                     May 2006        664\n                            Exchange (R-DEx), Version 4.2\n Test Plan                  Certification Test Plan, R-DEx, Version 1.6            Feb 2005        660\n Test Report                Certification Test Report, R-DEx, Version 1.6          Feb 2005        661\n\n\n\n\n                                               140\n\x0c                 Sensitive Compartment Information Operational Network\n                              Federal Bureau of Investigation\n\n       The Sensitive Compartment Information Operational Network (SCION) began spending\nfunds in FY 2003. The FBI is working to strengthen its capabilities to detect, analyze,\nunderstand, expose, pre-empt, interdict, terminate, and prosecute terrorist activities before they\ncan reach the stage of causing harm to the United States. SCION will enhance these capabilities\nby providing agents, counter-terrorism intelligence analysis, and their staffs with modern\ninformation processing/extraction tools and unified access to relevant and appropriate data\nsources at the TS/SCI level.\n\n        SCION is a common TS/SCI network providing FBI users with standard applications,\ndata sharing, and through Joint Worldwide Intelligence Communication System (JWICS), access\nto other intelligence community information systems. SCION primarily supports the FBI\nCounter Intelligence (CI) and Counter-Terrorism (CT) divisions. SCION provides the means for\nthe divisions to access raw intelligence and intelligence products, perform analysis, and to\ndistribute intelligence product.\n\n                            SCION Studies, Plans, and Evaluations\n     Document Type                             Title                                Date      Item #\n Privacy Impact\n                           Full Privacy Impact Assessment, TS/SCI LAN             Dec 2002       751\n Assessment\n Security Plan             System Security Plan, SCION                            Aug 2004       753\n Configuration\n                           Configuration Management Plan, SCION                   Dec 2003       752\n Management Plan\n Test Report               Certification Test Results, TS/SCI LAN                May 2003        754\n\n\n\n\n                                               141\n\x0c                                           Sentinel\n                                Federal Bureau of Investigation\n\n      The Sentinel project began spending funds in FY 2005 with implementation projected for\nFY 2010 The FBI is implementing Sentinel to replace legacy systems and to provide\nimprovements identified in the wake of the Oklahoma Bombing Case, the terrorist attacks of\nSeptember 11, and the Hanssen Espionage Case.\n\n        The FBI\xe2\x80\x99s investigative case management systems maintain more than 300,000 open and\nclosed cases per year, which together contain more than 100 million text documents. However,\nonly a subset of the information currently collected by the Bureau is being entered into the\nAutomated Case Support (ACS) for FBI-wide access. ACS data entry processes are manually\nintensive, and a significant backlog for entering data into ACS exists in some locations. ACS\nhas extremely limited capabilities for structuring the information collected by the FBI. Agents\nand analysts throughout the Bureau maintain case data and significant intelligence information\noff-line in their own internally developed or commercial-off-the shelf (COTS) applications that\nrun on stand-alone desktops. The information residing in these systems is available only to those\nusers that have direct system access.\n\n                          SENTINEL Studies, Plans, and Evaluations\n     Document Type                             Title                                Date    Item #\n Business Case Study       OMB Exhibit 300 for BY 2008                             Aug 2006   1033\n Privacy Impact\n                            Sentinel Phase 1 Privacy Impact Assessment             Feb 2006      1434\n Assessment\n Risk Management Plan       Risk Management Plan, SENTINEL, Version 1.2             Jul 2005       772\n                            Acquisition Plan (FD-911), SENTINEL,\n Acquisition Plan                                                                  Aug 2005        755\n                            Version 2.0\n                            Source Selection Plan, FBI Sentinel Program,\n Acquisition Plan                                                                  Aug 2005      1037\n                            Version 2.95\n                            Program Management Plan, SENTINEL,\n Project Plan                                                                      Aug 2005        770\n                            Version 1.2\n Systems Engineering        Systems Engineering Management Plan (SEMP),\n                                                                                   Jun 2005        776\n Management Plan            SENTINEL\n Configuration              Configuration Management Plan, SENTINEL\n                                                                                    Jul 2005       758\n Management Plan            PMO, Version 1.1\n                            Quality Management Plan, SENTINEL,\n Quality Assurance Plan                                                             Jul 2005       771\n                            Version 1.0\n                            Test and Evaluation Master Plan (TEMP),\n Test Plan                                                                          Jul 2005       777\n                            SENTINEL\n Performance\n                            Lessons Learned, Sentinel, Version 1.0                  Jul 2005     1039\n Evaluation\n\n       Sentinel will put critical information in the hands of agents and analysts in the field.\nWith few exceptions, Sentinel will provide its users with instantaneous access to all information\nentered into a case file. It will improve the collection and availability of information by allowing\n\n                                               142\n\x0cusers to create electronic documents using web-based forms. Sentinel will include a multimedia\ncapability that will rectify a longstanding information-sharing limitation with the FBI. Agents\nwill be able to scan documents, photographs, and other electronic media into the case file,\nallowing evidence and other case-related information to be shared among agents working on a\ncase without the need to exchange physical copies of the information\n\n\n\n\n                                             143\n\x0c                           Security Management Information System\n                                Federal Bureau of Investigation\n\n        The Security Management Information System (SMIS) project began spending funds in\nFY 2004. SMIS is a multi-year technology initiative employing knowledge management\nconcepts hosted on an Enterprise Service Bus compliant with the FBI\xe2\x80\x99s Service Oriented\nEnterprise Architecture to increase the ability of the FBI to develop, analyze, share, manage and\nstore security related data in order to reduce risk to people, facilities, operations and information.\n\n                              SMIS Studies, Plans, and Evaluations\n     Document Type                                 Title                               Date    Item #\n Business Case Study        OMB Exhibit 300 for BY 2007                               Jan 2006    797\n Privacy Impact             Initial Privacy Impact Assessment, Polygraph\n                                                                                     Aug 2005        791\n Assessment                 Workflow Management Application\n Privacy Impact\n                            Initial Privacy Impact Assessment, SMIS                  Aug 2005        792\n Assessment\n                            Privacy Impact Assessment, Security Division\n Privacy Impact\n                            Implementation the Financial Disclosure Forms            Feb 2006        798\n Assessment\n                            Analyzer\n Risk Management Plan       Risk Management Plan, SMIS, Final 1.1                    Dec 2005        817\n                            Project Plan, SMIS Facilities Certification and\n Project Plan                                                                        Mar 2006        812\n                            Accreditation Component, Draft\n                            Project Plan, SMIS Financial Disclosure Forms\n Project Plan                                                                        Feb 2006        813\n                            Analyzer Component, Draft\n Project Plan               Project Plan, SMIS, Version 0.7, Draft                    Jul 2005       814\n                            System Security Plan, Financial Disclosure\n Security Plan                                                                        Jan 2006       826\n                            Forms Analyzer (FDF-A), Version 1.2\n                            System Security Plan, Polygraph Workflow\n Security Plan                                                                       Apr 2006        827\n                            Management System\n Configuration              Configuration Management Plan, SMIS, PMO,\n                                                                                      Jul 2005       785\n Management Plan            Version 1.0\n Quality Assurance Plan     Quality Management Plan, SMIS, Version 1.0                Jul 2005       815\n Test Plan                  Certification Test Plan, FDF-A                            Jan 2006       782\n                            Test and Evaluation Master Plan for the\n Test Plan                                                                           Aug 2005        829\n                            Polygraph Workflow Management Application\n                            Testing and Evaluation Master Plan Unit Testing\n Test Plan                                                                           Mar 2006        831\n                            and Traceability Matrix, SMIS FCA Application\n                            Training Plan for the Polygraph Workflow\n Training Plan                                                                       Sep 2005        833\n                            Management Application\n Test Report                Certification Test Report, FDF-A                         Feb 2006        783\n                            Test Analysis Report for the Polygraph\n Test Report                                                                         Nov 2005        828\n                            Workflow Management Application\n Performance                Control Gate Review Exit Report, SMIS, FDF-A,\n                                                                                     Mar 2006        786\n Evaluation                 Gate 6 - OAR\n\n\n                                                144\n\x0c     Document Type                            Title                                 Date      Item #\n Performance               Investment Management/ Project Review Board\n                                                                                   Jan 2005         794\n Evaluation                (IMPRB), Summary Notes\n Performance               Investment Management/ Project Review Board\n                                                                                  Aug 2005          793\n Evaluation                (IMPRB), Summary Notes\n\n        The SMIS project will replace out-dated manual work processes and proliferating,\nstand-alone spreadsheets and databases with an efficient, cohesive, highly automated capability\nenabling authorized users to effectively and efficiently mine multiple security related\napplications, databases, and other electronically assimilated sources of relevant data to provide\nthe Bureau with timely, actionable intelligence and security support information. Upon\ncompletion, SMIS will contain all security-related information for the entire professional life\ncycle of a person, facility or system. The enhanced capabilities will allow Security Division\n(SecD) to share selected information with other divisions, law enforcement entities, and the\nIntelligence Community (IC) in the most efficient manner.\n\n\n\n\n                                               145\n\x0c                               Technical Refreshment Program\n                               Federal Bureau of Investigation\n\n       The Technical Refreshment Program (TRP) project began spending funds in FY 2007.\nThe program is an orderly and planned replacement of the FBI\'s technical assets associated with\nthe FBI\'s FBINET and UNet enclaves, which are the primary backbones of the FBI\'s\ncommunications and operations. The TRP will follow the FBI\'s enterprise architecture technical\nreference model to support the technical framework. The standards, specifications, and\ntechnologies that support the delivery of service components and capabilities will be\naccomplished by replacing IT equipment at 20 percent per year.\n\n        The FBI has experienced information technology growth because of the new tasks forces,\nnew data sharing initiatives, and new classified programs. The FBI currently has over 60,000\ndesktops, 27,000 laptops, 21,000 printers, and over 2,600 servers. The FBI requires funds to\nrefresh and upgrade network components, enhance network functions, incorporate new network\nmanagement software, and provide new features for monitoring and control. As mandated by\nOMB, the FBI will plan to upgrade all components to implement the FBI to IPv6 for network\ncommunications. Control and software tools will be constantly enhanced and integrated, and\nimprove the ability of EOC personnel to manage the FBI\'s IT infrastructure. The improvements\nwill enable the FBI to continue to improve the productivity and efficiency of the FBI\'s IT\ninfrastructure. The program is chartered to replace aging and out of date IT Hardware to\nminimize obsolescence, in advance of loss of service or hardware failure. The impact, if not\nfunded, will put the FBI at risk. This is due to the fact that the hardware cannot be serviced, as\nthe IT industry will not support IT hardware beyond its 5th year of service.\n\n                            TRP Studies, Plans, and Evaluations\n     Document Type                             Title                              Date    Item #\n Business Case Study       OMB Exhibit 300 for BY 2008                           Dec 2006   1034\n Performance\n                           Project Summary Report, TRP\n Evaluation                                                                                      836\n\n\n\n\n                                              146\n\x0c                                  Terrorist Screening Center\n                                Federal Bureau of Investigation\n\n        The Terrorist Screening Center (TSC) project began spending funds in FY 2004. The\nproject was formed by the Department of Justice in response to Homeland Security Presidential\nDirective-6 (HSPD-6), dated 16 September 2003. The TSC originates and maintains the United\nStates\xe2\x80\x99 only consolidated terrorist identities database, participates in and explores ways to\nimprove information sharing with all defense, national security, intelligence and law\nenforcement partners, as well as select foreign partners, and initiates and leads the Federal\nSearch Working Group.\n\n        The TSC supports national security by providing information on both international and\ndomestic terrorist identities on demand for agencies and/or Departments, including the\nDepartment of State, the Department of Homeland Security\xe2\x80\x99s Customs and Border Protection\nand Transportation Security Administration, granting access on the basis of need-to-know to the\nlimit prescribed by the originating agency of record. The TSC\'s links with many communities,\nincluding law enforcement at the state, local, tribal and territorial levels, are maintained around\nthe clock.\n\n                              TSC Studies, Plans, and Evaluations\n    Document Type                                 Title                             Date    Item #\n Business Case Study        OMB Exhibit 300 for BY 2008                            Dec 2006   1035\n                            Risk Management Plan, Terrorist Screening\n Risk Management Plan                                                              Apr 2006           845\n                            Center (TSC), Version 1.7 (Draft)\n Project Plan               TSDB Automated Ingest Project Plan                     Apr 2006           849\n                            System Security Plan, TSDB Phase 1B,\n Security Plan                                                                                        846\n                            Version 1.2\n Verification/Validation    Independent Verification and Validation (IV &V)\n                                                                                                      848\n Plan                       Plan, TSC\n                            Independent Verification and Validation (IV &V)\n Test Plan                                                                                            848\n                            Plan, TSC\n Test Plan                  Test Management Plan, TSDB 1.7.1                      Mar 2006            847\n Test Report                IV & V Test Report, TSDB 1.8.0.2, TSC                 May 2006            843\n\n        The TSC\'s basic philosophy is of information sharing with all partner agencies, and\nparticipation in monthly information sharing sessions with partner agencies and foreign\ngovernment representatives. The TSC hosts regular training for all employees, to include\nsensitive but unclassified classifications and privacy issues. Despite budget constraints,\nimprovements in efficiency and functionality are ongoing and necessary to obtain the full scope\nof HSPD-6 and meet the mandate of the President\'s Management Agenda. The TSC uses the\nvery latest search and retrieval technologies to meet these requirements, and is pioneering search\ntechnology in several areas, most notably search standards through development of a control\ndatabase, search "cocktails" by the use of a combination of multiple search engines, and the\nfederation of searches to search several databases at one time.\n\n\n                                               147\n\x0c       In budget year 2008, the TSC plans to develop an ability for external users to query the\nTerrorist Screening Database (TSDB), as well as a portal for external users to better reach and\nshare and exchange information with the TSC call center, intelligence and nominations\npersonnel. The query capability will be in production by early FY 2008, with the portal to\nfollow. Future efforts will include improved data consumption of NCTC into the TSDB,\ndeployment of biometric capability, planned hardware and software interface with DHS,\nVoiceprint and DNA data, and improved privacy and security features within EMA supporting\nTSDB.\n\n\n\n\n                                              148\n\x0c                          Classified Information Technology Program\n                                  Justice Management Division\n\nComponents Involved: All components except FBI\n\n                              CITP Studies, Plans, and Evaluations\n    Document Type                                 Title                       Date      Item #\n                            Enterprise Proof-of-Concept Functional\nMarket/Other Research                                                        Dec 2003     154\n                            Requirements, JSIT, Version 1.1\n                            Fiscal Year 2005 Information Technology\nBusiness Case Study                                                                       158\n                            Concept Paper\nBusiness Case Study         OMB Exhibit 300 for BY 2006                                   173\nPrivacy Impact\n                            Initial Privacy Impact Assessment, JCON-S                     161\nAssessment\nPrivacy Impact\n                            Initial Privacy Impact Assessment, JCON-TS                    162\nAssessment\nPrivacy Impact\n                            Privacy Threshold Analysis, JCON-S                            175\nAssessment\nPrivacy Impact\n                            Privacy Threshold Analysis, JCON-TS                           176\nAssessment\nRisk Management Plan        Risk Assessment/Risk Matrix, JWICS               Dec 2003     180\n                            Risk Management Plan, Enterprise SIPRNET,\nRisk Management Plan                                                         Mar 2003     181\n                            Draft\nRisk Management Plan        Risk Management Plan, JIST, Version 1.0, Draft   Jul 2006     182\nAcquisition Plan            Acquisition Plan, CITP, Version 1.0              Jan 2006     142\n                            MOA between JCON and DTO Regarding\nProject Plan                Operation and Support of the JCON Classified     Dec 2003     171\n                            Infrastructure, Version 0.2, Draft\nProject Plan                Program Guide, JCON-S, Version 2.1               May 2005     177\n                            System Security Authorization Agreement\nSecurity Plan                                                                Feb 2004     188\n                            (SSAA), JCON-S\n                            System Security Plan, JWICS Network,\nSecurity Plan                                                                Dec 2003     189\n                            JCON-TS\nConfiguration               Configuration Management Process, JCON-S,\n                                                                             Dec 2003     147\nManagement Plan             Appendix V, Version 1.1\nConfiguration               Published Documents, Configuration\n                                                                             May 2004     146\nManagement Plan             Management Plan, JCON-S, Version 1.0\nVerification/Validation\n                            Engagement Security Approach, JCON-S                          153\nPlan\nTest Plan                   Acceptance Test Plan and Report                  Dec 2003     168\n                            Security Test and Evaluation Plan, JCON-S,\nTest Plan                                                                    Feb 2004     186\n                            Appendix E\nConversion Plan             Data Migration, ADNET to JCON-S                               150\nImplementation Plan         Sample JSIT Deployment Plan                                   151\n\n\n                                             149\n\x0c    Document Type                              Title                             Date      Item #\n                           Computer Security Awareness and Training\n Training Plan             (C/SAT) Plan, JCON-S Enterprise System,             Dec 2003       145\n                           Version 2.1\n Contingency/Continuity\n                        Contingency Plan, JCON-S, Appendix L                   Feb 2004       149\n Plan\n Contingency/Continuity\n                        Contingency Plan, JWICS Network, Appendix M                           148\n Plan\n Test Report            Acceptance Test Plan and Report                        Dec 2003       168\n                        Security Test and Evaluation Plan, JCON-S,\n Test Report                                                                   Feb 2004       186\n                        Appendix E\n\n        The Classified Information Technology Program (CITP) project began spending funds in\nFY 2003. The mission is to develop a Department of Justice Classified Enterprise Architecture,\nan initial operational infrastructure, and an Operations and Maintenance Model for processing\nclassified information. The scope of the project includes classified information technology for\nall Department of Justice components except the Federal Bureau of Investigation. The project\xe2\x80\x99s\nobjectives are to: (1) define requirements to support implementation of a Department Sensitive\nCompartmented Information and Collateral Classified Information Processing Capability;\n(2) implement initial capabilities for Top Secret/Sensitive Compartmented Information and\nCollateral Classified Information Processing Capability; and (3) define an ongoing program for\nDepartment of Justice Classified Information Technology.\n\n\n\n\n                                             150\n\x0c                                Integrated Wireless Network\n                                Justice Management Division\n\nComponents Involved: All Components\n\n        The Integrated Wireless Network (IWN) project began spending funds in FY 2001. The\nproject is a collaborative effort by the Departments of Justice, Homeland Security, and the\nTreasury to provide a consolidated, nationwide federal wireless communications service that\nreplaces stovepipe stand alone component systems, and supports law enforcement, first\nresponder, and homeland security requirements with integrated communications services in a\nwireless environment.\n\n                             IWN Studies, Plans, and Evaluations\n    Document Type                                Title                        Date    Item #\n Market/Other Research     Market Research Summary                           Apr 2004   1388\n Business Case Study       High Level Design Report                                      198\n Business Case Study       OMB Exhibit 300 for BY 2007                       Jan 2006    206\n                           Risk Management Plan, DOJ Wireless\n Risk Management Plan                                                        Jun 2006         211\n                           Management Office, Justice Wireless Network\n Acquisition Plan          Acquisition Plan, IWN JPO                         Aug 2004         195\n                           Program Plan FY 2006, Joint Program Office,\n Project Plan                                                                Jun 2005         209\n                           Draft\n                           Strategic Plan 2005-2010, Integrated Wireless\n Project Plan                                                                Jun 2006     1004\n                           Network (IWN), (Draft)\n Security Plan             System Security Plan, Beta Test System            Nov 2004         214\n Configuration\n                           Configuration Management Plan, JPO IWN            Jun 2004         196\n Management Plan\n Quality Assurance Plan    Quality Assurance Plan, DOJ Wireless Network                       210\n Verification/Validation\n                           Data System Functional Tests, JPO-Pilot System    Oct 2004         192\n Plan\n Verification/Validation\n                           Network Management                                Oct 2004         193\n Plan\n Verification/Validation\n                           Report Generation Tests                           Oct 2004         194\n Plan\n                           Data System Functional Tests, JPO-IWN Pilot\n Test Plan                                                                   Oct 2004         192\n                           System\n Test Plan                 Network Management                                Oct 2004         193\n Test Plan                 Report Generation Tests                           Oct 2004         194\n                           Security Test and Evaluation Report: Beta Test\n Test Plan                                                                   Nov 2004         213\n                           System\n                           Organizational Readiness Transition Activities,\n Implementation Plan                                                         Sep 2004         203\n                           IWN Seattle-Blaine Service Area\n Implementation Plan       Transition Plan                                   Oct 2004         215\n\n\n\n                                             151\n\x0c     Document Type                                 Title                               Date       Item #\n                             Personnel Training for the Integrated Wireless\n Training Plan                                                                       Nov 2004        208\n                             Network\n Contingency/Continuity\n                             Contingency Plan, JPO IWN Northwest Zone\n Plan                                                                                 Jun 2005       197\n Performance                 Beta Benchmark Assessment, IWN\n                                                                                                     202\n Evaluation                  Seattle/Blaine\n Post-Implementation         Beta Benchmark Assessment, IWN\n                                                                                                     202\n Evaluation                  Seattle/Blaine\n\n        The IWN will implement solutions to provide federal agency interoperability with\nappropriate links to state, local, and tribal public safety, and homeland security entities. Justice,\nTreasury and DHS personnel represent the majority of law enforcement personnel within the\nFederal Government and are responsible for fulfilling numerous duties related to national law\nenforcement, protective missions, and homeland security missions. These operations are made\nmore effective, efficient, and safe through the use of tactical communications. Unfortunately,\ncurrent legacy wideband networks do not have sufficient communications capabilities to support\nthe successful accomplishment of core activities. Many of the existing systems are 15 years old\nor older and are increasingly unreliable and expensive to maintain. Furthermore, varying tactical\ncommunications systems exist between field offices and organizations, preventing basic\ninteroperability and presenting logistical issues during the course of routine enforcement\nactivities. This incompatibility of systems makes communications interoperability difficult to\nachieve.\n\n        To meet these challenges, the IWN design is based on a very high frequency, Project 25\ntrunked system utilizing a packet switched Internet Protocol backbone. Additionally, the system\ndesign provides for encrypted communications. The network is presently based on land mobile\nradio services, and may be complemented by commercial wireless service solutions. The IWN\nwill also be designed to facilitate interoperability with other federal, state and local public safety\npartners.\n\n\n\n\n                                                152\n\x0c                            Justice Consolidated Office Network\n                               Justice Management Division\n\nComponents Involved: Antitrust Division, Civil Division, Civil Rights Division, Community\nRelations Service, Criminal Division, Environment and Natural Resources Division, Executive\nOffice for Immigration Review, Executive Office for United States Attorneys, Federal Bureau of\nPrisons, Justice Management Division, Office of Justice Programs, Tax Division, U. S. Marshals\nService, U. S. Trustee Program, U. S. National Central Bureau of INTERPROL, U. S. Parole\nCommission\n\n       The JCON program began in FY 1996. The program provides a standard, consolidated\nDOJ Enterprise Office Solution, in partnership with DOJ components and the Office of Chief\nInformation Officer\xe2\x80\x99s staff, through the delivery of standing technology products and services.\nJCON is the critical infrastructure that provides a reliable and robust common office automation\nplatform upon which 16 of the Department\xe2\x80\x99s litigating, management, and law enforcement\ncomponents operate their mission-critical applications. The cornerstone of the JCON is the\nJCON Standard Architecture, which defines the basic information technology computing\nframework, including networked workstations, servers, printers, a common set of core\napplications, such as email and word processing, and a basic set of system administration tools.\nJCON also provide the infrastructure for components to access case management and other\nmission-related databases, e-Gov applications, and the Department\xe2\x80\x99s law enforcement, litigation,\nand administration systems. JCON provides the fundamental IT tools and services required by\nDepartment employees and contractors to perform their daily work functions.\n\n                            JCON Studies, Plans, and Evaluations\n    Document Type                                Title                            Date    Item #\n Market/Other Research     JCON Architecture Study, Final Report                 Jan 1998    227\n                           Request for Information (RFI), JCON PMO,\n Market/Other Research                                                          Apr 2006      1012\n                           Version 1.0\n Business Case Study       OMB Exhibit 300 for BY 2007                          Dec 2005       387\n Privacy Impact\n                           Initial Privacy Impact Assessment                                   380\n Assessment\n Privacy Impact\n                           Privacy Threshold Analysis                                          390\n Assessment\n Risk Management Plan      Risk Management Plan, JCON PMO, Version 2             Jul 2003      400\n Acquisition Plan          Contract Administration, JCON                                       374\n                           Project Management Plan Template, JCON PMO\n Project Plan                                                                  May 2005        391\n                           SDLC, Version 2.0\n                           Project Management Plan, Civil Rights Division,\n Project Plan                                                                   Dec 2005       392\n                           JCON Implementation\n                           Project Management Plan, EOUSA JCON IIA\n Project Plan                                                                  May 2005        393\n                           Deployment\n Project Plan              Project Management Plan, JCON Modernization          Jun 2005       394\n Project Plan              Strategic and Tactical Plan, JCON                    Apr 2005      1005\n\n\n                                             153\n\x0c   Document Type                             Title                      Date      Item #\nSecurity Plan          System Security Plan, JCON-COAR                 May 2006      404\nSystems Engineering    Systems Engineering Process, JCON PMO,\n                                                                       Jun 2006     407\nManagement Plan        Version 1.0\nConfiguration          Configuration Management Plan, JCON PMO,\n                                                                       Mar 2006     372\nManagement Plan        Version 1.2\n                       System Test Plan for DOJ EOIR, Version 1.0,\nTest Plan                                                              Aug 2005     405\n                       Draft\n                       System Test Plan Template, JCON PMO SDLC,\nTest Plan                                                              Mar 2005     406\n                       Version 1.0\nImplementation Plan    Implementation Plan, EOIR, Final Version 2.7    May 2006     379\n                       JCON Implementation Plan Template and\nImplementation Plan                                                    Mar 2005     382\n                       Guidance, JCON PMO SDLC, Version 2.0\nContingency/Continuity\n                       Contingency Plan, JCON COAR, Version 1.8        Mar 2006     373\nPlan\nTest Report            Security Test and Evaluation, JCON COAR         May 2006     401\n                       System Analysis Report JCON Civil Rights\nTest Report                                                            Apr 2006     403\n                       Division Design, Version 1 - Final\nPerformance            Department Executive Review Board\n                                                                       Feb 2005     375\nEvaluation             Presentation\nPost-Implementation    Civil Rights Division Lessons Learned Report,\n                                                                       May 2006     371\nEvaluation             JCON IIA Implementation Phase\nPost-Implementation    Lessons Learned Report for the JCON Civil\n                                                                       May 2006     385\nEvaluation             Deployment Implementation Phase\nPost-Implementation    Lessons Learned Report Template and Guidance,\n                                                                       Jan 2005     386\nEvaluation             JCON PMP SDLC, Version 1.0\nPost-Implementation\n                       Summary of Findings, Email Users Survey         Dec 2005     402\nEvaluation\n\n\n\n\n                                        154\n\x0c                            Litigation Case Management System\n                                Justice Management Division\n\nComponents Involved:         Executive Office for United States Attorneys\n                             Antitrust Division\n                             Civil Division\n                             Civil Rights Division\n                             Criminal Division\n                             Environment and Natural Resources Division\n                             Tax Division\n\n         The Department\xe2\x80\x99s major litigating components are highly decentralized, with information\nstored in numerous disconnected systems. The Litigation Case Management System (LCMS)\ninitiative will develop and implement a common case management solution for the litigating\ncomponents that will support efficient, automated information sharing and streamlined reporting\ncapabilities. The project is part of the Department\xe2\x80\x99s Case Management Common Solutions and\nOMB\xe2\x80\x99s Lines of Business Programs to develop business-driven, common solutions across\nagencies. The LCMS will consist of a suite of solutions built on a common foundation, creating\na case management architectural blueprint, data standards, and other products that should be\nreusable by other agencies. (The OMB-300 for budget year 2007 indicates that several\ncomponents were in various stages of pursing their own solutions, and are now participating in\nthe LCMS program.)\n\n       The LCMS project began spending funds in FY 2003 and is planned to be phased in\nincrementally, beginning with Phase 1 in FY 2007 in U.S. Attorney\xe2\x80\x99s Offices. Phase 1 is\nintended to incorporate case information management and reporting, workload management, and\ntime reporting. Litigation support tools that can be used by attorneys to organize and manage\nindividual cases are not part of Phase 1.\n\n                           LCMS Studies, Plans, and Evaluations\n    Document Type                              Title                             Date    Item #\n Market/Other Research    Final Market Research Report, LCMS                    Jun 2005    250\n Business Case Study      OMB Exhibit 300 for BY 2007                           Dec 2005    252\n                          Technical Evaluation Report, LCMS Phase 1,\n Business Case Study                                                            Apr 2006       256\n                          Version 0.9, Final\n Privacy Impact\n                          Privacy Impact Assessment (Draft)                    May 2005      1383\n Assessment\n Project Plan             Project Management Plan, Version 1.2                 Aug 2005        254\n Configuration            Project Configuration Management Plan,\n                                                                                Apr 2005       253\n Management Plan          Version 1.1\n\n\n\n\n                                             155\n\x0c                                  Public Key Infrastructure\n                                 Justice Management Division\n\nComponents Involved: All Components\n\n          The Department of Justice has established a Public Key Infrastructure Program (PKI) to\nprovide infrastructure-level trust services to enhance existing and planned business processes,\napplications, and services. The PKI will enhance security in order to foster communication\nbetween Department personnel across Components, other Federal, State, and Local Government\nagencies, commercial business partners, and transactions involving private citizens. The PKI is\nnot in itself a security service, but instead is an underlying infrastructure-level service that\nenhances the offerings of existing security services within the DOJ enterprise. To augment these\nsecurity services, the PKI Program will seek to establish an enterprise-wide public key capability\nand look to enable key business processes to leverage the services provided by the DOJ PKI.\n\n                             PKI Studies, Plans, and Evaluations\n     Document Type                              Title                              Date    Item #\n Market/Other Research     Planning and Design Support, DOJ PKI                   Oct 2002    232\n Business Case Study       Business Case, DOJ Enterprise PKI, Version 1.0         Jul 2004    216\n Business Case Study       OMB Exhibit 300 for BY 2008, CEI                                  1017\n Privacy Impact\n                           Privacy Threshold Analysis (questionnaire)                            235\n Assessment\n Project Plan           Project Management Plan, DOJ PKI                         Aug 2004        236\n Security Plan          System Security Plan, DOJ PKI, Revision 2                Mar 2006        244\n                        Configuration Management Plan, DOJ PKI\n Configuration\n                        Program and Technical Support, Version 1.1,              Mar 2005        220\n Management Plan\n                        Draft\n                        Test and Evaluation Master Plan, DOJ PKI,\n Test Plan                                                                        Apr 2005       245\n                        Revision 1\n                        Deployment Implementation Plan, DOJ PKI,\n Implementation Plan                                                              Jun 2005       222\n                        Final\n Training Plan          Training Plan, DOJ PKI, Final                             Apr 2005       247\n                        Chain of Custody Processes, DOJ PKI, Version\n Disposition Plan                                                                 Jun 2005       218\n                        1.01\n Contingency/Continuity IT Contingency Plan, DOJ PKI, Appendix L,\n                                                                                 Mar 2006        226\n Plan                   Revision 3\n                        Security Test and Evaluation Plan (Final),\n Test Report                                                                     May 2005        242\n                        DOJ PKI\n Test Report            Test Report, DOJ PKI, Draft                               Jun 2005       246\n Performance            Earned Value Management, DOJ Enterprise PKI\n                                                                                                 223\n Evaluation             Infrastructure Service Office\n\n\n\n\n                                              156\n\x0c                            Unified Financial Management System\n                                Justice Management Division\n\nComponents Involved: All components\n\n       The Department of Justice has initiated an effort to implement a unified system that will\nimprove the existing and future financial management and procurement operations across DOJ.\nThe Department will address these needs via the implementation of the Unified Financial\nManagement System (UFMS), which is planned to replace six core financial management\nsystems and multiple procurement systems currently operating across DOJ with an integrated\ncommercial off the shelf solution.\n\n                                UFMS Studies, Plans, and Evaluations\n     Document Type                               Title                             Date   Item #\n Market/Other Research     Financial Vendor Response Summary Draft                          1418\n Business Case Study       OMB Exhibit 300 for BY 2007                           Dec 2005     99\n Privacy Impact            Privacy Impact Assessment, UFMS, Working\n                                                                                 Dec 2006      1399\n Assessment                Draft\n Risk Management Plan      Risk and Issue Management Plan, Version 2.0           Sep 2004          101\n                           Acquisition Plan UFMS Integration and\n Acquisition Plan                                                                Jun 2005          86\n                           Implementation Services\n Acquisition Plan          Acquisition Strategy Paper, DOJ UFMS                  Jun 2002          87\n                           DOJ Program Office Charter and Program\n Project Plan                                                                    Sep 2004          93\n                           Management Plan, Version 2.0\n                           Implementation and Integration - Project\n Project Plan                                                                    Jun 2006          94\n                           Management Plan, Version 1.0\n Security Plan             Security Management Plan (UFMS), Version 2.0          Jan 2006          103\n Security Plan             System Security Plan (SSP) for DOJ UFMS               Dec 2005          105\n Systems Engineering       Integration and Implementation - Systems\n                                                                                  Jul 2006         96\n Management Plan           Engineering Plan\n Configuration\n                           Configuration Management Plan, Version 1.0            Aug 2005           88\n Management Plan\n Configuration\n                           Configuration Management Plan, Version 2.0            Jun 2006          89\n Management Plan\n                           Integration and Implementation - Quality Control\n Quality Assurance Plan                                                           Jul 2006         95\n                           Plan, Version 1.0\n                           Integration and Implementation Test and\n Test Plan                                                                        Jul 2006         97\n                           Evaluation Master Plan\n Conversion Plan           Data Conversion Strategy, Version 1.0                  Jul 2006          92\n Implementation Plan       System Implementation Plan, Version 1.0                Jul 2006         106\n Training Plan             Training Strategy, Version 1.0                         Jul 2006         109\n\n       The UFMS will allow the DOJ to streamline and standardize business processes and\nprocedures across all components, providing accurate, timely, and useful financial data to\n\n\n                                              157\n\x0cfinancial and Program managers across the Department, and produce component- and\nDepartment-level financial statements. In addition, the system will assist the DOJ by improving\nfinancial management performance and aid Department components in addressing the material\nweaknesses and non-conformances in internal controls, accounting standards, and systems\nsecurity identified by the OIG. Finally, the system will provide procurement functionality,\nconsolidated management information, and the capability to meet all mandatory requirements of\nthe Federal Acquisition Regulation and the Justice Acquisition Regulations.\n\n\n\n\n                                             158\n\x0c                             Justice Grants Management System\n                                  Office of Justice Programs\n\nComponents Involved: Office of Justice Programs\n                     Office of Community Oriented Policing Services\n\n        The Justice Grants Management System (JGMS) is a web based, data driven application\nthat provides end-to-end support for the application, approval, and management of grants for the\nproposed Justice Grants Management Consortium. JGMS is adaptable to accommodate the\nvarying grants processes and grants types of its multiple users. JGMS supports the core missions\nand grants processes of DOJ\'s Office of Justice Programs and Office on Violence Against\nWomen, and is targeted to incorporate the Community Oriented Policing Services (COPS)\nprogram. The Office of Grants and Training, Department of Homeland Security is also an\nestablished JGMS user and will continue to be supported by JGMS.\n\n                            JGMS Studies, Plans, and Evaluations\n    Document Type                                Title                           Date       Item #\n Business Case Study       OMB Exhibit 300 for BY 2007                                         364\n                           Grant Adjustment Notice (GAN) Module Project\n Project Plan                                                                   Sep 2005          360\n                           Management Plan, Draft\n                           System Security Plan for Grants Management\n Security Plan                                                                  Feb 2006          340\n                           System\n Configuration\n                           Configuration Management Plan, OJP                  Nov 2004           341\n Management Plan\n Test Plan                 GAN Module Test Plan, OJP                                              347\n                           GMS Grant Adjustment Notice Module Test\n Test Plan                                                                      Oct 2005          346\n                           Cases\n                           Grant Adjustment Notice Module Test Plan,\n Test Plan                                                                                        348\n                           Phase 2\n Training Plan             GMS GAN Training Plan, (Draft)                      May 2005           359\n Contingency/Continuity\n                        Continuity of Operations Plan, OJP                       Jul 2005         342\n Plan\n                        Functional Requirements Document, Grant\n Test Report                                                                   Nov 2005           345\n                        Adjustments, OJP, Version 1.1\n Test Report            GAN Test Problem Report (Spreadsheet)                                     357\n Test Report               Validation Test Script Forms, GMS                    Feb 2006     1390\n\n        The Justice Grants Management Consortium formalizes the existing alliance of JGMS\nusers, with the addition of new users with like interests such as COPS. JGMS has the capability\nto accommodate additional prospective agencies whose missions support first responder and\ndisaster grants programs, should they elect to join the Consortium as members. JGMS provides\nan interface with the Grants.gov portal to allow potential applicants to conduct searches and\napply for DOJ and Department of Homeland Security grant opportunities using the Grants.gov\nFind and Apply capabilities. JGMS will also build upon its interface with the financial\n\n                                             159\n\x0cmanagement system which accounts for its DOJ users\' grant funds and disburses funds to\ngrantees, and its capability to export financial-related grants transaction data to external financial\nsystems.\n\n\n\n\n                                                160\n\x0c                                                                APPENDIX VII\n\n                           PRIOR OIG REPORTS\n\nPerformance Audits and Inspection Reports\n\n  Report\n                                            Report Title\n  Number\n              The Drug Enforcement Administration\xe2\x80\x99s Management of Enterprise\n   04-36\n              Architecture and Information Technology Investments\n              The Bureau of Alcohol, Tobacco, Firearms and Explosives and Federal\n   05-01\n              Bureau of Investigation\xe2\x80\x99s Arson and Explosives Intelligence Databases\n              Federal Bureau of Investigation\xe2\x80\x99s Management of the Trilogy Information\n   05-07\n              Technology Modernization Project\n   05-22      The Joint Automated Booking System\n   05-27      Review of the Terrorist Screening Center\n              Bureau of Alcohol, Tobacco, Firearms, and Explosives National Integrated\n   05-30\n              Ballistic Information Network Program\n              Processing Classified Information on Portable Computers in the\n   05-32\n              Department of Justice\n              Review of the Terrorist Screening Center\xe2\x80\x99s Efforts To Support the Secure\n   05-34\n              Flight Program \xe2\x80\x93 Limited Official Use\n              The Status of Enterprise Architecture and Information Technology\n   06-02\n              Investment Management in the Department in the Department of Justice\n              The Federal Bureau of Investigation\xe2\x80\x99s Pre-Acquisition Planning For and\n   06-14\n              Controls Over the Sentinel Case Management System\n              Inventory of Major Department of Justice Information System\n   06-25\n              Investments as of FY 2006\n              The Federal Bureau of Investigation\'s Implementation of the Laboratory\n   06-33\n              Information Management System\n              Sentinel Audit II: Status of the Federal Bureau of Investigation\xe2\x80\x99s Case\n   07-03\n              Management System Redacted\n              Progress Report on Development of the Integrated Wireless Network in\n   07-25\n              the Department of Justice\nI-2005-001*   Follow-up Review of the Status of the IDENT/IAFIS Integration\n              Follow-up Review of the FBI\xe2\x80\x99s Progress Toward Biometric Interoperability\nI-2006-007*\n              Between IAFIS and IDENT\n\n* Denotes an inspection report prepared by the OIG Inspections Division.\n\n\n\n\n                                      161\n\x0cFederal Information Security Related Audits\n\n  Report\n                                         Report Title\n  Number\n            Independent Evaluation Pursuant to the Federal Information Security\n   05-16    Management Act - Fiscal Year 2004 - United States Marshals Service\xe2\x80\x99s\n            Automated Prisoner Scheduling System\n            Independent Evaluation Pursuant to the Federal Information Security\n            Management Act - Fiscal Year 2004 - Drug Enforcement\n   05-21\n            Administration\xe2\x80\x99s Investigative Management Program and Case\n            Tracking System (IMPACT)\n            Independent Evaluation Pursuant to the Federal Information Security\n   05-23    Management Act - Fiscal Year 2004 - United States Marshals Service\xe2\x80\x99s\n            Information Security Program\n            Independent Evaluation Pursuant to the Federal Information Security\n   05-26    Management Act - Fiscal Year 2004 - Federal Bureau of Investigation\xe2\x80\x99s\n            Tactical Operations Unit Network (TOUNET) \xe2\x80\x93 Secret\n            Independent Evaluation Pursuant to the Federal Information Security\n   05-29    Management Act - Fiscal Year 2004 - Drug Enforcement\n            Administration\xe2\x80\x99s Information Security Program \xe2\x80\x93 Limited Official Use\n            Independent Evaluation Pursuant to the Federal Information Security\n   05-31    Management Act - Fiscal Year 2004 - Federal Bureau of Investigation\xe2\x80\x99s\n            Information Security Program \xe2\x80\x93 Limited Official Use\n            Independent Evaluation Pursuant to the Federal Information Security\n   06-01    Management Act \xe2\x80\x93 Fiscal Year 2004- Department\xe2\x80\x99s Information\n            Technology Security and Oversight Program \xe2\x80\x93 Limited Official Use\n            Independent Evaluation Pursuant to the Federal Information Security\n            Management Act - FY 2005 - Department of Justice\xe2\x80\x99s Justice\n   06-20\n            Management Division Information Security Program and Oversight \xe2\x80\x93\n            Limited Official Use\n            Independent Evaluation Pursuant to the Federal Information Security\n   06-22    Management Act \xe2\x80\x93 Fiscal Year 2005 - Federal Bureau of Investigation\xe2\x80\x99s\n            Automated Case Support Application - Secret\n            Independent Evaluation Pursuant to the Federal Information Security\n   06-23    Management Act - FY 2005 - Federal Bureau of Investigation\xe2\x80\x99s\n            Information Security Program \xe2\x80\x93 Secret\n            Independent Evaluation Pursuant to the Federal Information Security\n            Management Act - Fiscal Year 2005 - The Department of Justice\xe2\x80\x99s\n   06-27\n            Drug Enforcement Administration Information Security Program -\n            Limited Official Use\n            Independent Evaluation Pursuant to the Federal Information Security\n   06-28    Management Act \xe2\x80\x93 Fiscal Year 2005 - The Department of Justice\xe2\x80\x99s\n            Federal Bureau of Prisons\xe2\x80\x99 Inmate Telephone System II\n            Independent Evaluation Pursuant to the Federal Information Security\n   06-29    Management Act \xe2\x80\x93 Fiscal Year 2005 - The Department of Justice\xe2\x80\x99s\n            Federal Bureau of Prisons\xe2\x80\x99 Information Security Program\n\n\n                                   162\n\x0c  Report\n                                          Report Title\n  Number\n            Independent Evaluation Pursuant to the Federal Information Security\n   06-31    Management Act \xe2\x80\x93 Fiscal Year 2005 - The Drug Enforcement\n            Administration\xe2\x80\x99s El Paso Intelligence Center Seizure System\n\n\n\nFinancial Statement Related Audits\n\n Report\n                                          Report Title\n Number\n  05-03    Department of Justice Annual Financial Statement Fiscal Year 2004\n  05-05    Working Capital Fund Annual Financial Statement Fiscal Year 2004\n  05-06    Offices, Boards and Divisions Annual Financial Statement Fiscal Year 2004\n           Federal Bureau of Investigation Annual Financial Statement Fiscal Year\n  05-08\n           2004\n           Federal Prison Industries, Inc., Annual Financial Statement Fiscal Year\n  05-09\n           2004\n  05-11    Bureau of Prisons Annual Financial Statement Fiscal Year 2004\n           Assets Forfeiture Fund and Seized Asset Deposit Fund Annual Financial\n  05-12\n           Statement Fiscal Year 2004\n           United States Marshals Service Annual Financial Statement Fiscal Year\n  05-13\n           2004\n           Drug Enforcement Administration Annual Financial Statement Fiscal Year\n  05-14\n           2004\n           Bureau of Alcohol, Tobacco, Firearms and Explosives Annual Financial\n  05-15\n           Statement, Fiscal Year 2004\n  05-17    Office of Justice Programs Financial Statement Fiscal Year 2004\n           Review of the Federal Bureau of Investigation Headquarters\xe2\x80\x99 Information\n  05-35\n           Systems Control Environment Fiscal Year 2004 \xe2\x80\x93 Secret\n           Office of Justice Programs Annual Financial Statement Fiscal Year 2003 As\n  05-36\n           Restated\n           Office of Justice Programs Annual Financial Statement Fiscal Year 2004 As\n  05-38\n           Restated\n  06-04    The Department of Justice Annual Financial Statement Fiscal Year 2005\n  06-05    Offices, Boards and Divisions Annual Financial Statement Fiscal Year 2005\n           Federal Bureau of Investigation Annual Financial Statement Fiscal Year\n  06-06\n           2005\n           Asset Forfeiture Fund and Seized Asset Deposit Fund Annual Financial\n  06-07\n           Statement Fiscal Year 2005\n           United States Marshals Service Annual Financial Statement Fiscal Year\n  06-09\n           2005\n           Drug Enforcement Administration\xe2\x80\x99s Annual Financial Statement Fiscal\n  06-10\n           Year 2005\n  06-12    Working Capital Fund Annual Financial Statement Fiscal Year 2005\n\n\n                                    163\n\x0cReport\n                                        Report Title\nNumber\n06-17    Office of Justice Programs Annual Financial Statement Fiscal Year 2005\n         Federal Prison Industries, Inc., Annual Financial Statement Fiscal Year\n06-18\n         2005\n06-19    Federal Bureau of Prisons Annual Financial Statement Fiscal Year 2005\n         Bureau of Alcohol, Tobacco, Firearms and Explosives Annual Financial\n06-21\n         Statement Fiscal Year 2005\n         Department of Justice Review of the Consolidated Information System\n06-24\n         General Controls Environment - Fiscal Year 2005 - Limited Official Use\n07-08    Office, Boards and Divisions Annual Financial Statement Fiscal Year 2006\n         Federal Bureau of Investigation Annual Financial Statement Fiscal Year\n07-09\n         2006\n         Drug Enforcement Administration Annual Financial Statement Fiscal Year\n07-11\n         2006\n07-21    Office of Justice Programs Annual Financial Statement Fiscal Year 2006\n\n\n\n\n                                  164\n\x0c                                   APPENDIX VIII\n\nDEPARTMENT\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT\n\n\n\n\n                   165\n\x0c166\n\x0c167\n\x0c                                                                APPENDIX IX\n\n    INSPECTOR GENERAL ANALYSIS AND SUMMARY OF ACTIONS\n                NECESSARY TO CLOSE REPORT\n\n       The OIG provided a draft of this audit report to the Department for\nreview and comment. The Department\xe2\x80\x99s response of July 24, 2007, included\nin this report as Appendix VIII, concurs with the five recommendations and\nproposes corrective action sufficient to resolve all the recommendations.\nOur analysis of the response to the recommendations is provided below.\n\n1. Resolved. We recommended that the Department\xe2\x80\x99s CIO evaluate why\n   project teams do not prepare certain plans and evaluations, reassess the\n   utility of those documents, and consider revising the standards for\n   producing studies, plans, and evaluations for individual IT projects. The\n   Department\xe2\x80\x99s response indicates the OCIO will review selected projects to\n   determine the rationales for preparing certain studies, plans, and\n   evaluations, and consider revising the current guidelines. This\n   recommendation is resolved based on the planned action, but the\n   Department did not provide a specific timeframe for the process to be\n   completed. The Department should provide a specific timeframe for this\n   process to be completed, and the recommendation can be closed when\n   we receive documentation of the results of this review.\n\n2. Resolved. We recommended that the CIO consider revising the\n   guidelines for tailoring the work pattern for specific types of projects. The\n   Department\xe2\x80\x99s response indicated the OCIO will conduct an evaluation of\n   the various IT project types and will develop standard work patterns and\n   deviations or waivers for each project type. This recommendation is\n   resolved based on the planned actions, but the Department did not\n   provide a timeframe for the process to be completed. The OCIO should\n   provide a specific timeframe for the process to be completed, and the\n   recommendation can be closed when we receive documentation of the\n   results of this effort.\n\n3. Resolved. We recommended that the CIO ensure that post-\n   implementation and post-termination reviews are conducted that focus on\n   lessons learned for project planning and management. This\n   recommendation is resolved based on the CIO\xe2\x80\x99s plans to implement a\n   post implementation review process that will follow guidance in the Office\n   of Management and Budget\xe2\x80\x99s Capital Programming Guide. The\n   Department did not provide a specific timeframe for the process to be\n   implemented. The Department should provide a specific timeframe for\n\n                                      168\n\x0c  this process to be implemented, and the recommendation can be closed\n  when we receive documentation demonstrating that this process has\n  been implemented.\n\n4. Resolved. We recommended that the CIO ensure that staff receive\n   training needed to direct and oversee contractor efforts adequately. This\n   recommendation is resolved based on the CIO\xe2\x80\x99s response that the\n   qualifications of the IT project managers for major IT projects are now\n   reviewed each year during the exhibit 300 review, and that all IT project\n   managers are now required to be re-certified as contracting officers\xe2\x80\x99\n   technical representatives every 5 years. The recommendation can be\n   closed when we receive documentation of: (1) the FY 2004 validation of\n   project manager qualifications, (2) the procedures used for review of\n   project manager qualifications, and (3) the requirement that project\n   managers be certified and re-certified as contracting officers\xe2\x80\x99 technical\n   representatives.\n\n5. Resolved. We recommended that the CIO implement targeted reviews\n   to improve the use of business process re-engineering and requirements\n   analysis early in concept development. This recommendation is resolved\n   based on the Department\xe2\x80\x99s plan to implement review criteria to ensure\n   that business process re-engineering and requirements analysis are\n   effectively incorporated early into the concept development phase of\n   project planning, and that targeted reviews will be conducted at the\n   discretion of the Department Investment Review Board. The Department\n   did not provide a specific timeframe for these actions to be implemented.\n   The Department should provide a specific timeframe for these actions to\n   be implemented, and the recommendation can be closed when we receive\n   documentation that the actions have been implemented.\n\n\n\n\n                                    169\n\x0c'